Every CVE whose affected-product data names Lycheeorg Lychee, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2023-52082 — CVSS 8.8 (high): Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb…
CVE-2024-25808 — CVSS 8.3 (high): Cross-site Request Forgery (CSRF) vulnerability in Lychee version 3.1.6, allows remote attackers to execute arbitrary code via the create…
CVE-2024-25807 — CVSS 6.1 (medium): Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive…
CVE-2021-43675 — CVSS 6.1 (medium): Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The function exit will terminate the…
CVE-2026-33738 — CVSS 5.4 (medium): Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML…
CVE-2026-33537 — CVSS 5.0 (medium): Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an…
CVE-2026-39957 — CVSS 4.3 (medium): Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes…
CVE-2026-22784 — CVSS 4.3 (medium): Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password…
CVE-2026-33644 — CVSS 4.3 (medium): Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed…