Description

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.

INFO

Published Date :

2026-03-26T20:04:18.728Z

Last Modified :

2026-03-26T20:04:18.728Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33644 vulnerability.

Vendors Products
Lycheeorg
  • Lychee
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33644.

URL Resource
https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107 cve-icon cve-icon
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability