EUVD-2026-16374

| CVE-2026-33644 LOW
2026-03-26 GitHub_M
2.3
CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16374
CVE Published
Mar 26, 2026 - 20:04 nvd
LOW 2.3

Tags

SSRF PHP

Description

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.

Analysis

DNS rebinding bypasses SSRF protection in Lychee photo-management tool versions prior to 7.5.2, allowing authenticated remote attackers to access restricted internal resources by providing domain names instead of IP addresses to the photo URL import feature. The vulnerability exploits a logic flaw in PhotoUrlRule.php where hostname validation only applies to IP addresses, leaving domain-based requests unvalidated. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

12
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +12
POC: 0

Share

EUVD-2026-16374 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy