Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
Published: 2026-03-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via public RSS feed
Action: Apply Patch
AI Analysis

Impact

Lychee stores photo description text without sanitization and directly injects it into the public RSS, Atom, and JSON feeds using unescaped Blade output. This allows an attacker to embed arbitrary JavaScript in a photo’s description. When any RSS reader or script parses the feed, the malicious code runs in the reader’s browser context, potentially stealing session cookies, performing actions on behalf of the user, and compromising confidentiality and integrity of user data. The vulnerability is a stored cross‑site scripting flaw (CWE‑79).

Affected Systems

Lychee, the open‑source photo‑management application published by LycheeOrg, is affected. All installations running a version older than 7.5.3 are vulnerable. The issue exists in the `/feed` endpoint that is publicly accessible without authentication.

Risk and Exploitability

With a CVSS score of 4.8 the flaw is considered moderate severity. The EPSS score of under 1% suggests that the probability of exploitation is low, and the vulnerability is not flagged in the CISA KEV catalog. The attack path is simple: an attacker submits a photo description containing malicious JavaScript and places the photo in a publicly accessible feed. The stored payload is then served to any RSS reader that pulls the feed; no authentication or special privileges are required. Once the victim’s browser interprets the feed, the injected script can execute with the privileges of the viewer, leading to data theft or other client‑side breaches.

Generated by OpenCVE AI on March 30, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lychee to version 7.5.3 or later, where the issue is fixed.
  • If an upgrade is not immediately possible, restrict access to the /feed endpoint via firewall or HTTP authentication to prevent unauthenticated readers from receiving the vulnerable content.
  • As a temporary mitigation, remove or sanitize any photo descriptions that may contain unsanitized input.

Generated by OpenCVE AI on March 30, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
Title Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:55:55.702Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33738

cve-icon Vulnrichment

Updated: 2026-03-27T13:35:49.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:08.110

Modified: 2026-03-30T18:45:14.510

Link: CVE-2026-33738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:27Z

Weaknesses