CVE-2026-33738

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.3

Description Lychee is a free, open-source photo-management tool. Before version 7.5.3, the photo description field was stored without HTML sanitization and rendered using {!! $item->summary !!} (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The /feed API endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript.

Recommendations Update to version 7.5.3 or later.