CVE-2026-33644

Published
View on NVD ↗
CVSS v3
4.3
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.

LycheeOrg/Lychee
LycheeOrg/Lychee
A great looking and easy-to-use photo-management-system you can run on your server, to manage and share photos.
GitHubGitHub
4.18K