Lycheeorg: >> Lychee >> 3.1.6 Security Vulnerabilities
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-01-12
Cross-site Request Forgery (CSRF) vulnerability in Lychee version 3.1.6, allows remote attackers to execute arbitrary code via the create new album function.
CVSS Score
8.3
EPSS Score
0.011
Published
2024-03-22
Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-03-22