SSRF in Lycheeorg Lychee

CVE-2026-33644

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP addr…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (12.2th percentile) — read the EPSS interpretation.

Affected products

Lycheeorg Lychee — versions < 7.5.2

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff (x_refsource_CONFIRM)
https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107 (x_refsource_MISC)