SSRF in Lycheeorg Lychee

CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.0th percentile) — read the EPSS interpretation.

Affected products

Lycheeorg Lychee — versions < 7.5.1

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287 (x_refsource_CONFIRM)
https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a (x_refsource_MISC)