CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a	Patch
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287	Exploit Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*

History

01 Apr 2026, 18:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:lycheeorg:lychee::::::::
First Time		Lycheeorg Lycheeorg lychee
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.0
References	~~() https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a -~~	() https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a - Patch
References	~~() https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287 -~~	() https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287 - Exploit, Mitigation, Patch, Vendor Advisory

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) Lychee es una herramienta de gestión de fotos gratuita y de código abierto. El parche introducido para GHSA-cpgw-wgf3-xc6v (SSRF a través de 'Photo::fromUrl') contiene una comprobación de validación de IP incompleta que no logra bloquear las direcciones de bucle invertido y las direcciones de enlace local. Antes de la versión 7.5.1, un usuario autenticado aún puede acceder a servicios internos utilizando direcciones IP directas, eludiendo las cuatro configuraciones de protección incluso cuando están configuradas con sus valores predeterminados seguros. La versión 7.5.1 contiene una solución para el problema.

26 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 21:17

Updated : 2026-04-01 18:56

NVD link : CVE-2026-33537

Mitre link : CVE-2026-33537

CVE.ORG link : CVE-2026-33537

JSON object : View

Products Affected

lycheeorg

lychee

CWE

CWE-918

Server-Side Request Forgery (SSRF)

5.0 /10