XSS in Lycheeorg Lychee

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (23.2th percentile) — read the EPSS interpretation.

Affected products

Lycheeorg Lychee — versions < 7.5.3

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j (x_refsource_CONFIRM)
https://github.com/LycheeOrg/Lychee/pull/4218 (x_refsource_MISC)
https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c (x_refsource_MISC)
https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3 (x_refsource_MISC)