Code Injection Vulnerability in Lychee Photo Management Tool
CVE-2026-33738

4.8MEDIUM

Key Information:

Vendor

Lycheeorg

Status
Lychee
Vendor
CVE Published:
26 March 2026

What is CVE-2026-33738?

The Lychee photo management tool is susceptible to a code injection vulnerability due to improper sanitization of the photo description field. In versions prior to 7.5.3, the application renders user-controlled input without escaping HTML in the RSS, Atom, and JSON feeds, which can lead to the execution of malicious JavaScript when users access the public feed endpoint. This behavior allows attackers to exploit the vulnerability through an unauthenticated channel, emphasizing the importance of upgrading to version 7.5.3 or later to mitigate this risk.

Affected Version(s)

Lychee < 7.5.3

References

https://github.com/LycheeOrg/Lychee/security/advisories/G...
x_refsource_CONFIRM
https://github.com/LycheeOrg/Lychee/pull/4218
x_refsource_MISC
https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5...
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.