Description

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.

INFO

Published Date :

2026-03-26T20:01:19.377Z

Last Modified :

2026-03-27T19:46:28.419Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33537 vulnerability.

Vendors Products
Lycheeorg
  • Lychee
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33537.

URL Resource
https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a cve-icon cve-icon
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability