Skip to main content

PHP CVE-2026-33644

| EUVDEUVD-2026-16374 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-26 GitHub_M
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
7.5.2
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16374
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:04 nvd
LOW 2.3

DescriptionGitHub Advisory

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, filter_var($host, FILTER_VALIDATE_IP) returns false, skipping the entire check. Version 7.5.2 patches the issue.

AnalysisAI

DNS rebinding bypasses SSRF protection in Lychee photo-management tool versions prior to 7.5.2, allowing authenticated remote attackers to access restricted internal resources by providing domain names instead of IP addresses to the photo URL import feature. The vulnerability exploits a logic flaw in PhotoUrlRule.php where hostname validation only applies to IP addresses, leaving domain-based requests unvalidated. Vendor-released patch available (version 7.5.2); no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability exists in Lychee (CPE: cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*), a PHP-based open-source photo management application. The root cause is classified under CWE-918 (Server-Side Request Forgery), specifically a logic flaw in the IP validation routine within PhotoUrlRule.php. The vulnerable code at lines 86-89 uses PHP's filter_var($host, FILTER_VALIDATE_IP) function to detect and block private/reserved IP addresses. However, this validation only executes when the hostname parameter is directly an IP address string. When users provide fully qualified domain names (FQDNs), filter_var() returns false, causing the conditional block to be skipped entirely. An attacker can then leverage DNS rebinding-a technique where a domain name resolves to a different IP address on subsequent queries-to initially pass domain validation and later resolve to internal resources (e.g., 127.0.0.1, 192.168.x.x, or cloud metadata endpoints). This bypasses the intended SSRF boundary enforcement.

RemediationAI

Upgrade Lychee to version 7.5.2 or later immediately via your package manager or direct GitHub release download (https://github.com/LycheeOrg/Lychee). Verify the patched version includes the fix committed at https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107. Until patching is feasible, implement network-level controls: restrict outbound HTTP/HTTPS access from the Lychee application to known-safe ranges, disable photo URL import functionality via application configuration if available, and enforce strict firewall rules preventing connections to private network ranges (RFC 1918, 169.254.x.x, 127.x.x.x). Monitor application logs for unusual URL import requests containing domain names that resolve to internal infrastructure. Additionally, review and harden DNS resolver configuration to mitigate DNS rebinding attacks (e.g., use DNS rebinding protection in corporate DNS appliances).

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy