SSRF Vulnerability in Lychee Photo Management Tool
CVE-2026-33537

5.3MEDIUM

Key Information:

Vendor: Lycheeorg
Status: Lychee
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33537?

Lychee, an open-source photo management solution, has an SSRF vulnerability due to incomplete IP validation within the patch for GHSA-cpgw-wgf3-xc6v. This flaw allows authenticated users to bypass protective configuration settings and access internal services by directly specifying loopback and link-local IP addresses. Users are encouraged to upgrade to version 7.5.1, which addresses this vulnerability.

Affected Version(s)

Lychee < 7.5.1

References

https://github.com/LycheeOrg/Lychee/security/advisories/G...

x_refsource_CONFIRM

https://github.com/LycheeOrg/Lychee/commit/41386677681d18...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33537 Data

JSON

Lycheeorg

What is CVE-2026-33537?

Affected Version(s)

References

CVSS V4

Timeline