{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33644", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.216Z", "datePublished": "2026-03-26T20:04:18.728Z", "dateUpdated": "2026-03-30T11:30:40.546Z"}, "containers": {"cna": {"title": "Lychee has SSRF bypass via DNS rebinding \u2014 PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:04:18.728Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue."}], "source": {"advisory": "GHSA-5245-4p8c-jwff", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:30:26.685722Z", "id": "CVE-2026-33644", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:30:40.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:30:26.685722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:30:34.191Z"}}], "cna": {"title": "Lychee has SSRF bypass via DNS rebinding \u2014 PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs", "source": {"advisory": "GHSA-5245-4p8c-jwff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"status": "affected", "version": "< 7.5.2"}]}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff", "name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107", "name": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:04:18.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33644", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:30:40.546Z", "dateReserved": "2026-03-23T15:23:42.216Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:04:18.728Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2C772E6-4C5B-4548-A9A2-6728BEFC63DA", "versionEndExcluding": "7.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue."}, {"lang": "es", "value": "Lychee es una herramienta de gesti\u00f3n de fotos gratuita y de c\u00f3digo abierto. Antes de la versi\u00f3n 7.5.2, la protecci\u00f3n SSRF en 'PhotoUrlRule.php' puede ser eludida utilizando el rebinding de DNS. La comprobaci\u00f3n de validaci\u00f3n de IP (l\u00edneas 86-89) solo se activa cuando el nombre de host es una direcci\u00f3n IP. Cuando se utiliza un nombre de dominio, 'filter_var($host, FILTER_VALIDATE_IP)' devuelve 'false', omitiendo toda la comprobaci\u00f3n. La versi\u00f3n 7.5.2 corrige el problema."}], "id": "CVE-2026-33644", "lastModified": "2026-03-30T18:10:16.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-03-30T19:28:26.327158+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch by upgrading Lychee to version 7.5.2 or later.", "Confirm that the upgraded version no longer processes the vulnerable PhotoUrlRule logic.", "If an upgrade cannot be performed immediately, restrict external URLs to known safe hosts or temporarily disable the PhotoUrlRule functionality to prevent potential SSRF.", "Review logs for unexpected outbound network activity and keep the application updated with future security releases."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery via DNS rebinding"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Lychee versions prior to 7.5.2. The product is Lychee by LycheeOrg. All releases before 7.5.2 are susceptible to the SSRF bypass demonstrated.", "description_and_impact": "Lychee, a free photo\u2011management tool, contains a flaw that allows attackers to perform server\u2011side request forgery by bypassing DNS rebinding protection. In PhotoUrlRule.php, the check that validates an IP address is only executed when the hostname supplied is an IP literal. When a hostname that resolves to an internal IP is used, the validation is skipped, permitting the application to fetch arbitrary resources from internal networks. This can expose sensitive internal services or data to unauthorized parties.", "risk_and_exploitability": "The CVSS base score is 2.3, indicating low severity, and the EPSS score is less than 1%, with no listing in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, the flaw is remotely exploitable via a DNS rebinding attack: an attacker registers a DNS record that resolves to an internal IP and supplies that hostname to the PhotoUrlRule endpoint. The application then performs an outbound request to the internal resource, bypassing the intended IP check. Because this requires only an HTTP request to the vulnerable endpoint, an attacker with internet access to the Lychee instance can exploit the issue to probe or reach private network services."}}}}, "created": "2026-03-27T08:32:11.724562+00:00", "updated": "2026-03-30T20:57:30.933969+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}