Lycheeorg Lychee
8 CVEs affecting Lycheeorg Lychee. Latest disclosed: 2026-04-09. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-52082 | High | 8.8 | 2023-12-28 | Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is on… |
CVE-2025-50202 | High | 7.5 | 2025-06-18 | Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, ngi… |
CVE-2025-53018 | Low | 3.0 | 2025-06-27 | Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v… |
CVE-2026-39957 | | 2026-04-09 | Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('u… | |
CVE-2026-33738 | | 2026-03-26 | Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered usi… | |
CVE-2026-33644 | | 2026-03-26 | Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The… | |
CVE-2026-33537 | | 2026-03-26 | Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validat… | |
CVE-2026-22784 | | 2026-01-12 | Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that… |