Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
Published: 2026-03-26
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting via Public Feed
Action: Apply Patch
AI Analysis

Impact

Lychee, a popular open‑source photo‑management application, stores the photo description field without sanitization. When the public /feed endpoint renders these descriptions using unescaped Blade output, any attacker‑supplied JavaScript is stored and later served to a reader consuming the RSS, Atom, or JSON feed. The resulting stored cross‑site scripting allows code execution in the context of the recipient’s client, potentially enabling credential theft, defacement, or other client‑side attacks.

Affected Systems

The vulnerability applies to all Lychee installations older than version 7.5.3. The vendor released a fix in 7.5.3, and later releases are considered secure.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate risk. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, implying limited known exploitation. Because the /feed endpoint is publicly accessible without authentication, an attacker can target any subscriber to the feed, but the impact is confined to the client side of the feed consumer.

Generated by OpenCVE AI on March 26, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Lychee to version 7.5.3 or later

Generated by OpenCVE AI on March 26, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
Title Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:25:44.648Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33738

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:08.110

Modified: 2026-03-26T21:17:08.110

Link: CVE-2026-33738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:34Z

Weaknesses