{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33537", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.831Z", "datePublished": "2026-03-26T20:01:19.377Z", "dateUpdated": "2026-03-27T19:46:28.419Z"}, "containers": {"cna": {"title": "Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl \u2014 loopback and link-local IPs not blocked", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:01:19.377Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue."}], "source": {"advisory": "GHSA-vq6w-prpf-h287", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:46:02.228439Z", "id": "CVE-2026-33537", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:46:28.419Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D76BAF6-169E-40A5-9961-D2124A82004D", "versionEndExcluding": "7.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue."}, {"lang": "es", "value": "Lychee es una herramienta de gesti\u00f3n de fotos gratuita y de c\u00f3digo abierto. El parche introducido para GHSA-cpgw-wgf3-xc6v (SSRF a trav\u00e9s de 'Photo::fromUrl') contiene una comprobaci\u00f3n de validaci\u00f3n de IP incompleta que no logra bloquear las direcciones de bucle invertido y las direcciones de enlace local. Antes de la versi\u00f3n 7.5.1, un usuario autenticado a\u00fan puede acceder a servicios internos utilizando direcciones IP directas, eludiendo las cuatro configuraciones de protecci\u00f3n incluso cuando est\u00e1n configuradas con sus valores predeterminados seguros. La versi\u00f3n 7.5.1 contiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-33537", "lastModified": "2026-04-01T18:56:40.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:05.703", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-03-26T21:21:56.640069+00:00", "value": {"mitigation_remediation": ["Upgrade Lychee to version 7.5.1 or later to apply the official fix.", "If upgrading immediately is not possible, block internal loopback and link\u2011local IP ranges at the perimeter or in the application configuration to prevent SSRF to internal services.", "Reinforce authentication controls so that only trusted users can access the Photo::fromUrl feature.", "Monitor application logs for internal request patterns and anomalous IP usage."], "summary": {"action": "Patch immediately", "impact": "Internal Network Access"}, "threat_synthesis": {"affected_systems": "Soft\u2011ware installations of Lychee released before version 7.5.1 are affected. The vulnerability sits in the Photo::fromUrl functionality used when importing images via external URLs. Users running any pre\u20117.5.1 release of Lychee\u2019s open\u2011source photo\u2011management tool are at risk.", "description_and_impact": "An authenticated user can exploit a flaw in Lychee\u2019s Photo::fromUrl method that does not block loopback or link\u2011local IP addresses. The incomplete IP validation lets attackers force the application to issue requests to arbitrary internal addresses, thereby bypassing the four protection settings even when they are set to secure defaults. The result is unauthorized access to internal services or data, compromising the confidentiality and integrity of resources behind the network firewall.", "risk_and_exploitability": "The problem carries a CVSS score of 5.3, indicating moderate severity. No EPSS score is available and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires a valid user session within the Lychee instance; the attacker supplies a target IP. Because the flaw bypasses all configured safeguards, the risk of internal network compromise is significant for deployments that do not restrict internal service access and run older releases."}}}}, "created": "2026-03-27T08:32:19.905197+00:00", "updated": "2026-03-27T09:25:16.762228+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}