Description
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF enabling internal network access
Action: Apply patch
AI Analysis

Impact

Lychee allows authenticated users to request arbitrary URLs through the Photo::fromUrl function. The validation that should reject loopback and link‑local IPs is incomplete, letting attackers use internal IP addresses to reach services on the same host or local network, thereby bypassing all four protection settings even when they are at their secure defaults. This flaw enables disclosure or manipulation of internal resources without requiring external network access.

Affected Systems

All Lychee installations prior to version 7.5.1 are susceptible. Versions 7.5.1 and later contain a fix that correctly blocks loopback and link‑local addresses.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, and the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because it requires an authenticated user, the risk is confined to internal accounts that can submit URLs via Photo::fromUrl, but once exploited, the attacker can access sensitive internal services.

Generated by OpenCVE AI on April 2, 2026 at 05:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lychee to version 7.5.1 or later

Generated by OpenCVE AI on April 2, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
Title Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:46:28.419Z

Reserved: 2026-03-20T18:05:11.831Z

Link: CVE-2026-33537

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:05.703

Modified: 2026-04-01T18:56:40.970

Link: CVE-2026-33537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:32Z

Weaknesses