CVE-2026-33644

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.2

Description Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the Server-Side Request Forgery (SSRF) protection in PhotoUrlRule.php could be bypassed using DNS rebinding. The IP validation check (lines 86-89) only activates when the hostname is an IP address. When a domain name is used, filter var($host, FILTER VALIDATE IP) returns false, skipping the entire check. This allows for potential unauthorized access or actions through the vulnerable application.

Recommendations Update to Lychee version 7.5.2 or later.