CVE-2023-52082

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 5.0.2

Description Lychee, a free photo-management tool, is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the .env settings set to DB LOG SQL=true and DB LOG SQL EXPLAIN=true. The defaults settings of Lychee are safe. It is estimated that around 7,328 devices are potentially affected, mainly distributed in China, Germany, and other countries.

Recommendations To work around this issue, disable SQL EXPLAIN logging. For versions prior to 5.0.2, update to version 5.0.2 to resolve the issue.