Lychee · Lychee · CVE-2023-52082
**Name of the Vulnerable Software and Affected Versions**
Lychee versions prior to 5.0.2
**Description**
Lychee, a free photo-management tool, is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB LOG SQL=true and DB LOG SQL EXPLAIN=true. The defaults settings of Lychee are safe. It is estimated that around 7,328 devices are potentially affected, mainly distributed in China, Germany, and other countries.
**Recommendations**
To work around this issue, disable SQL EXPLAIN logging.
For versions prior to 5.0.2, update to version 5.0.2 to resolve the issue.