CVE-2026-33537

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.1

Description Lychee is a free, open-source photo-management tool. A flaw exists in the IP validation check within the patch for an SSRF issue related to Photo::fromUrl. This incomplete check fails to block loopback and link-local addresses. Before version 7.5.1, an authenticated user could access internal services using direct IP addresses, bypassing all four protection configurations, even with secure default settings.

Recommendations Update to version 7.5.1 or later.