CVE-2026-33537
Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl โ loopback and link-local IPs not blocked
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
| CWE | CWE-918 |
| Vendor | lycheeorg |
| Product | lychee |
| Published | Mar 26, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for lycheeorg lychee
Be the first to know when new unknown vulnerabilities affecting lycheeorg lychee are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
LycheeOrg / Lychee
< 7.5.1