Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, filter_var($host, FILTER_VALIDATE_IP) returns false, skipping the entire check. Version 7.5.2 patches the issue.
AnalysisAI
DNS rebinding bypasses SSRF protection in Lychee photo-management tool versions prior to 7.5.2, allowing authenticated remote attackers to access restricted internal resources by providing domain names instead of IP addresses to the photo URL import feature. The vulnerability exploits a logic flaw in PhotoUrlRule.php where hostname validation only applies to IP addresses, leaving domain-based requests unvalidated. Vendor-released patch available (version 7.5.2); no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability exists in Lychee (CPE: cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*), a PHP-based open-source photo management application. The root cause is classified under CWE-918 (Server-Side Request Forgery), specifically a logic flaw in the IP validation routine within PhotoUrlRule.php. The vulnerable code at lines 86-89 uses PHP's filter_var($host, FILTER_VALIDATE_IP) function to detect and block private/reserved IP addresses. However, this validation only executes when the hostname parameter is directly an IP address string. When users provide fully qualified domain names (FQDNs), filter_var() returns false, causing the conditional block to be skipped entirely. An attacker can then leverage DNS rebinding-a technique where a domain name resolves to a different IP address on subsequent queries-to initially pass domain validation and later resolve to internal resources (e.g., 127.0.0.1, 192.168.x.x, or cloud metadata endpoints). This bypasses the intended SSRF boundary enforcement.
RemediationAI
Upgrade Lychee to version 7.5.2 or later immediately via your package manager or direct GitHub release download (https://github.com/LycheeOrg/Lychee). Verify the patched version includes the fix committed at https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107. Until patching is feasible, implement network-level controls: restrict outbound HTTP/HTTPS access from the Lychee application to known-safe ranges, disable photo URL import functionality via application configuration if available, and enforce strict firewall rules preventing connections to private network ranges (RFC 1918, 169.254.x.x, 127.x.x.x). Monitor application logs for unusual URL import requests containing domain names that resolve to internal infrastructure. Additionally, review and harden DNS resolver configuration to mitigate DNS rebinding attacks (e.g., use DNS rebinding protection in corporate DNS appliances).
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16374