{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33644", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.216Z", "datePublished": "2026-03-26T20:04:18.728Z", "dateUpdated": "2026-03-30T11:30:40.546Z"}, "containers": {"cna": {"title": "Lychee has SSRF bypass via DNS rebinding \u2014 PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:04:18.728Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue."}], "source": {"advisory": "GHSA-5245-4p8c-jwff", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:30:26.685722Z", "id": "CVE-2026-33644", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:30:40.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:30:26.685722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:30:34.191Z"}}], "cna": {"title": "Lychee has SSRF bypass via DNS rebinding \u2014 PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs", "source": {"advisory": "GHSA-5245-4p8c-jwff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"status": "affected", "version": "< 7.5.2"}]}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff", "name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107", "name": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:04:18.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33644", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:30:40.546Z", "dateReserved": "2026-03-23T15:23:42.216Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:04:18.728Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2C772E6-4C5B-4548-A9A2-6728BEFC63DA", "versionEndExcluding": "7.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue."}, {"lang": "es", "value": "Lychee es una herramienta de gesti\u00f3n de fotos gratuita y de c\u00f3digo abierto. Antes de la versi\u00f3n 7.5.2, la protecci\u00f3n SSRF en 'PhotoUrlRule.php' puede ser eludida utilizando el rebinding de DNS. La comprobaci\u00f3n de validaci\u00f3n de IP (l\u00edneas 86-89) solo se activa cuando el nombre de host es una direcci\u00f3n IP. Cuando se utiliza un nombre de dominio, 'filter_var($host, FILTER_VALIDATE_IP)' devuelve 'false', omitiendo toda la comprobaci\u00f3n. La versi\u00f3n 7.5.2 corrige el problema."}], "id": "CVE-2026-33644", "lastModified": "2026-03-30T18:10:16.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.793", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-03-26T21:52:29.191871+00:00", "value": {"mitigation_remediation": ["Upgrade Lychee to version 7.5.2 or newer", "If an upgrade cannot be performed immediately, limit outbound connections from the Lychee instance to a whitelist of trusted IPs and domains", "Verify that the SSRF protection logic no longer skips host validation by testing with controlled inputs"], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery via DNS rebinding"}, "threat_synthesis": {"affected_systems": "Lychee installations from the official repository before version 7.5.2 are affected. Any deployment running these releases that processes external URLs through the PhotoUrlRule component is vulnerable.", "description_and_impact": "The vulnerability stems from a flaw in Lychee\u2019s SSRF filter, which verifies only literal IP addresses. When the application receives a domain name that resolves to a private network address, the IP\u2010validation step is bypassed, permitting outbound HTTP requests to internal resources. This can expose sensitive services or data on the internal network and provide a foothold for further attacks. The weakness is an SSRF scenario, classed as a server\u2011side request forgery.", "risk_and_exploitability": "The assigned CVSS score of 2.3 reflects a low severity level; no EPSS score is available and the issue is not listed in the CISA known\u2011exploited vulnerabilities catalog. Exploiting the flaw requires an attacker to craft a DNS rebinding attack that forces the Lychee server to resolve a domain to an internal IP address. While this does not grant code execution on the host, it enables the attacker to probe or communicate with services behind the firewall, depending on the internal network\u2019s exposure."}}}}, "created": "2026-03-27T08:32:11.724562+00:00", "updated": "2026-03-27T09:23:40.102967+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}