CVE-2026-33644
EUVD-2026-1637426.03.2026, 21:17
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| lycheeorg | lychee | 𝑥 < 7.5.2 |
𝑥
= Vulnerable software versions