Vulnerabilities in LycheeOrg
8 resultsCVE-2025-50202HIGHLychee Path Traversal VulnerabilityEPSS 0.5%CVE-2023-52082HIGHLychee is vulnerable to an SQL Injection in explain DB queries.EPSS 0.5%CVE-2026-33537MEDIUMLychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blockedEPSS 0.3%CVE-2026-22784LOWLychee cross-album password propagation on Album unlockingEPSS 0.2%CVE-2026-33644LOWLychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPsEPSS 0.2%CVE-2026-33738MEDIUMLychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)EPSS 0.2%CVE-2026-39957LOWLychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized usersEPSS 0.2%CVE-2025-53018LOWLychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLsEPSS 0.2%