{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33738", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T20:25:44.648Z", "dateUpdated": "2026-03-27T13:55:55.702Z"}, "containers": {"cna": {"title": "Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"}, {"name": "https://github.com/LycheeOrg/Lychee/pull/4218", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/pull/4218"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c"}, {"name": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:25:44.648Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue."}], "source": {"advisory": "GHSA-5574-7f3r-hm9j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:35:56.585454Z", "id": "CVE-2026-33738", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:55.702Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33738", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T20:25:44.648Z", "dateUpdated": "2026-03-27T13:55:55.702Z"}, "containers": {"cna": {"title": "Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"}, {"name": "https://github.com/LycheeOrg/Lychee/pull/4218", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/pull/4218"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c"}, {"name": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:25:44.648Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue."}], "source": {"advisory": "GHSA-5574-7f3r-hm9j", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33738", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:35:56.585454Z"}}}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:35:49.583Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue."}], "id": "CVE-2026-33738", "lastModified": "2026-03-26T21:17:08.110", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.110", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c"}, {"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/pull/4218"}, {"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-03-26T21:35:39.509113+00:00", "value": {"mitigation_remediation": ["Update Lychee to version 7.5.3 or later"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via Public Feed"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all Lychee installations older than version 7.5.3. The vendor released a fix in 7.5.3, and later releases are considered secure.", "description_and_impact": "Lychee, a popular open\u2011source photo\u2011management application, stores the photo description field without sanitization. When the public /feed endpoint renders these descriptions using unescaped Blade output, any attacker\u2011supplied JavaScript is stored and later served to a reader consuming the RSS, Atom, or JSON feed. The resulting stored cross\u2011site scripting allows code execution in the context of the recipient\u2019s client, potentially enabling credential theft, defacement, or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate risk. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog, implying limited known exploitation. Because the /feed endpoint is publicly accessible without authentication, an attacker can target any subscriber to the feed, but the impact is confined to the client side of the feed consumer."}}}}, "created": "2026-03-27T08:32:06.203619+00:00", "updated": "2026-03-27T09:23:34.200116+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}