{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33537", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.831Z", "datePublished": "2026-03-26T20:01:19.377Z", "dateUpdated": "2026-03-26T20:01:19.377Z"}, "containers": {"cna": {"title": "Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl \u2014 loopback and link-local IPs not blocked", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:01:19.377Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue."}], "source": {"advisory": "GHSA-vq6w-prpf-h287", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue."}], "id": "CVE-2026-33537", "lastModified": "2026-03-26T21:17:05.703", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:05.703", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a"}, {"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-03-26T21:21:56.640069+00:00", "value": {"mitigation_remediation": ["Upgrade Lychee to version 7.5.1 or later to apply the official fix.", "If upgrading immediately is not possible, block internal loopback and link\u2011local IP ranges at the perimeter or in the application configuration to prevent SSRF to internal services.", "Reinforce authentication controls so that only trusted users can access the Photo::fromUrl feature.", "Monitor application logs for internal request patterns and anomalous IP usage."], "summary": {"action": "Patch immediately", "impact": "Internal Network Access"}, "threat_synthesis": {"affected_systems": "Soft\u2011ware installations of Lychee released before version 7.5.1 are affected. The vulnerability sits in the Photo::fromUrl functionality used when importing images via external URLs. Users running any pre\u20117.5.1 release of Lychee\u2019s open\u2011source photo\u2011management tool are at risk.", "description_and_impact": "An authenticated user can exploit a flaw in Lychee\u2019s Photo::fromUrl method that does not block loopback or link\u2011local IP addresses. The incomplete IP validation lets attackers force the application to issue requests to arbitrary internal addresses, thereby bypassing the four protection settings even when they are set to secure defaults. The result is unauthorized access to internal services or data, compromising the confidentiality and integrity of resources behind the network firewall.", "risk_and_exploitability": "The problem carries a CVSS score of 5.3, indicating moderate severity. No EPSS score is available and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires a valid user session within the Lychee instance; the attacker supplies a target IP. Because the flaw bypasses all configured safeguards, the risk of internal network compromise is significant for deployments that do not restrict internal service access and run older releases."}}}}, "created": "2026-03-27T08:32:19.905197+00:00", "updated": "2026-03-27T09:25:16.762228+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}