CVE-2025-50202

Name of the Vulnerable Software and Affected Versions Lychee versions 6.6.6 through 6.6.9

Description The issue affects Lychee, a free photo-management tool. An attacker can exploit a path traversal vulnerability in SecurePathController.php to leak local files, including environment variables, nginx logs, other users' uploaded images, and configuration secrets.

Recommendations For versions 6.6.6 through 6.6.9, update to version 6.6.10 to resolve the issue. As a temporary workaround, consider restricting access to the SecurePathController.php file until the update is applied.