CVE-2026-33537

MEDIUM

Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Title source: cna

Description

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.

References (2)

[X_Refsource_Confirm] https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287

[X_Refsource_Misc] https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a

View Writeup ZIP pw:eip

Scores

CVSS v3 5.0

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

lycheeorg/lychee < 7.5.1

LycheeOrg/Lychee < 7.5.1

Published Mar 26, 2026

Tracked Since Mar 27, 2026