Highildyria

**Name of the Vulnerable Software and Affected Versions** Lychee versions prior to 5.0.2 **Description** Lychee, a free photo-management tool, is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB LOG SQL=true and DB LOG SQL EXPLAIN=true. The defaults settings of Lychee are safe. It is estimated that around 7,328 devices are potentially affected, mainly distributed in China, Germany, and other countries. **Recommendations** To work around this issue, disable SQL EXPLAIN logging. For versions prior to 5.0.2, update to version 5.0.2 to resolve the issue.