Back to search
CVE-2026-33738
Published: Mar 26, 2026
Modified: Mar 27, 2026
PUBLISHED
Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
| Vendor | Product | Versions |
|---|---|---|
LycheeOrg | Lychee | affected < 7.5.3 |
Weaknesses (CWE)
References
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j
x_refsource_CONFIRM
https://github.com/LycheeOrg/Lychee/pull/4218
x_refsource_MISC
https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now