{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33738", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T20:25:44.648Z", "dateUpdated": "2026-03-27T13:55:55.702Z"}, "containers": {"cna": {"title": "Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"}, {"name": "https://github.com/LycheeOrg/Lychee/pull/4218", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/pull/4218"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c"}, {"name": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:25:44.648Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue."}], "source": {"advisory": "GHSA-5574-7f3r-hm9j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:35:56.585454Z", "id": "CVE-2026-33738", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:55.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33738", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:35:56.585454Z"}}}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:35:49.583Z"}}], "cna": {"title": "Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)", "source": {"advisory": "GHSA-5574-7f3r-hm9j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"status": "affected", "version": "< 7.5.3"}]}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LycheeOrg/Lychee/pull/4218", "name": "https://github.com/LycheeOrg/Lychee/pull/4218", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c", "name": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3", "name": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:25:44.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33738", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:55:55.702Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:25:44.648Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FC80F07-5E2D-4C7A-8D56-32C4C8CFAA6F", "versionEndExcluding": "7.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue."}, {"lang": "es", "value": "Lychee es una herramienta de gesti\u00f3n de fotos gratuita y de c\u00f3digo abierto. Antes de la versi\u00f3n 7.5.3, el campo `description` de la foto se almacena sin saneamiento HTML y se renderiza usando `{!! $item-&gt;summary !!}` (salida sin escape de Blade) en las plantillas de feeds RSS, Atom y JSON. El endpoint `/feed` es p\u00fablicamente accesible sin autenticaci\u00f3n, permitiendo que cualquier lector RSS ejecute JavaScript controlado por el atacante. La versi\u00f3n 7.5.3 corrige el problema."}], "id": "CVE-2026-33738", "lastModified": "2026-03-30T18:45:14.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.110", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/LycheeOrg/Lychee/pull/4218"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-03-30T20:40:33.078971+00:00", "value": {"mitigation_remediation": ["Upgrade Lychee to version 7.5.3 or later, where the issue is fixed.", "If an upgrade is not immediately possible, restrict access to the /feed endpoint via firewall or HTTP authentication to prevent unauthenticated readers from receiving the vulnerable content.", "As a temporary mitigation, remove or sanitize any photo descriptions that may contain unsanitized input."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via public RSS feed"}, "threat_synthesis": {"affected_systems": "Lychee, the open\u2011source photo\u2011management application published by LycheeOrg, is affected. All installations running a version older than 7.5.3 are vulnerable. The issue exists in the `/feed` endpoint that is publicly accessible without authentication.", "description_and_impact": "Lychee stores photo description text without sanitization and directly injects it into the public RSS, Atom, and JSON feeds using unescaped Blade output. This allows an attacker to embed arbitrary JavaScript in a photo\u2019s description. When any RSS reader or script parses the feed, the malicious code runs in the reader\u2019s browser context, potentially stealing session cookies, performing actions on behalf of the user, and compromising confidentiality and integrity of user data. The vulnerability is a stored cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "With a CVSS score of 4.8 the flaw is considered moderate severity. The EPSS score of under 1% suggests that the probability of exploitation is low, and the vulnerability is not flagged in the CISA KEV catalog. The attack path is simple: an attacker submits a photo description containing malicious JavaScript and places the photo in a publicly accessible feed. The stored payload is then served to any RSS reader that pulls the feed; no authentication or special privileges are required. Once the victim\u2019s browser interprets the feed, the injected script can execute with the privileges of the viewer, leading to data theft or other client\u2011side breaches."}}}}, "created": "2026-03-27T08:32:06.203619+00:00", "updated": "2026-03-30T20:57:27.188967+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}