Suggestions search

All statuses

Filter by:

With package: lychee

Found 3 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-33738

updated 1 month ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse ignored
4 packages
- LycheeSlicer
- lycheeslicer
- tests.testers.lycheeLinkCheck.ok
- tests.testers.lycheeLinkCheck.network
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j x_refsource_CONFIRM
https://github.com/LycheeOrg/Lychee/pull/4218 x_refsource_MISC
https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c x_refsource_MISC
https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3 x_refsource_MISC

Affected products

Lychee

==< 7.5.3

Matching in nixpkgs

pkgs.lychee

Fast, async, stream-based link checker written in Rust

nixos-unstable 0.23.0
- nixpkgs-unstable 0.23.0
- nixos-unstable-small 0.23.0
nixos-25.11 0.21.0
- nixos-25.11-small 0.21.0
- nixpkgs-25.11-darwin 0.21.0

Ignored packages (4)

pkgs.LycheeSlicer

All-in-one 3D slicer for resin and FDM printers

nixos-unstable 7.6.3
- nixpkgs-unstable 7.6.2
- nixos-unstable-small 7.6.3
nixos-25.11 7.5.0
- nixos-25.11-small 7.5.0
- nixpkgs-25.11-darwin 7.5.0

pkgs.lycheeslicer

All-in-one 3D slicer for resin and FDM printers

nixos-unstable 7.6.3
- nixpkgs-unstable 7.6.2
- nixos-unstable-small 7.6.3

pkgs.tests.testers.lycheeLinkCheck.ok

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.tests.testers.lycheeLinkCheck.network

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@totoroot Matthias Thym <git@thym.at>
@tuxinaut Denny Schäfer <trash4you@tuxinaut.de>

Upstream advisory: https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j
Upstream patch: https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c

Untriaged

Permalink CVE-2026-33644

created 1 month ago Activity log

Created suggestion 1 month ago

Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff x_refsource_CONFIRM
https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107 x_refsource_MISC

Affected products

Lychee

==< 7.5.2

Matching in nixpkgs

pkgs.lychee

Fast, async, stream-based link checker written in Rust

nixos-unstable 0.23.0
- nixpkgs-unstable 0.23.0
- nixos-unstable-small 0.23.0
nixos-25.11 0.21.0
- nixos-25.11-small 0.21.0
- nixpkgs-25.11-darwin 0.21.0

pkgs.LycheeSlicer

All-in-one 3D slicer for resin and FDM printers

nixos-unstable 7.6.3
- nixpkgs-unstable 7.6.2
- nixos-unstable-small 7.6.3
nixos-25.11 7.5.0
- nixos-25.11-small 7.5.0
- nixpkgs-25.11-darwin 7.5.0

pkgs.lycheeslicer

All-in-one 3D slicer for resin and FDM printers

nixos-unstable 7.6.3
- nixpkgs-unstable 7.6.2
- nixos-unstable-small 7.6.3

pkgs.tests.testers.lycheeLinkCheck.ok

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.tests.testers.lycheeLinkCheck.network

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@Tarinaky Tarinaky
@totoroot Matthias Thym <git@thym.at>
@tuxinaut Denny Schäfer <trash4you@tuxinaut.de>
@ZachDavies Zach Davies <zdmalta@proton.me>

Untriaged

Permalink CVE-2026-33537

created 1 month ago Activity log

Created suggestion 1 month ago

Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.