Lycheeorg

Lychee

11 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
2.3

CVE-2026-39957

  • EPSS 0.03%
  • Veröffentlicht 09.04.2026 17:16:30
  • Zuletzt bearbeitet 13.04.2026 15:02:27

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authe...

5.4

CVE-2026-33738

Exploit
  • EPSS 0.06%
  • Veröffentlicht 26.03.2026 20:25:44
  • Zuletzt bearbeitet 30.03.2026 18:45:14

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templa...

4.3

CVE-2026-33644

Exploit
  • EPSS 0.03%
  • Veröffentlicht 26.03.2026 20:04:18
  • Zuletzt bearbeitet 30.03.2026 18:10:16

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a...

5

CVE-2026-33537

Exploit
  • EPSS 0.03%
  • Veröffentlicht 26.03.2026 20:01:19
  • Zuletzt bearbeitet 01.04.2026 18:56:40

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version...

4.3

CVE-2026-22784

Exploit
  • EPSS 0.05%
  • Veröffentlicht 12.01.2026 18:37:55
  • Zuletzt bearbeitet 16.01.2026 18:39:42

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected album...

3

CVE-2025-53018

  • EPSS 0.04%
  • Veröffentlicht 27.06.2025 13:00:14
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend t...

7.5

CVE-2025-50202

  • EPSS 0.13%
  • Veröffentlicht 18.06.2025 04:13:01
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal ex...

8.3

CVE-2024-25808

Exploit
  • EPSS 1.07%
  • Veröffentlicht 22.03.2024 04:15:11
  • Zuletzt bearbeitet 28.05.2025 18:44:46

Cross-site Request Forgery (CSRF) vulnerability in Lychee version 3.1.6, allows remote attackers to execute arbitrary code via the create new album function.

6.1

CVE-2024-25807

Exploit
  • EPSS 0.25%
  • Veröffentlicht 22.03.2024 03:15:07
  • Zuletzt bearbeitet 28.05.2025 18:46:49

Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album.

9.8

CVE-2023-52082

  • EPSS 0.38%
  • Veröffentlicht 28.12.2023 16:16:02
  • Zuletzt bearbeitet 21.11.2024 08:39:08

Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=...