Unrated severityNVD Advisory· Published Mar 26, 2026· Updated Mar 30, 2026
Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
CVE-2026-33644
Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, filter_var($host, FILTER_VALIDATE_IP) returns false, skipping the entire check. Version 7.5.2 patches the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107mitrex_refsource_MISC
- github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwffmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.