CVE-2026-33738
Stored XSS in Lychee Photo Description Allows Remote Script Execution
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lycheeorg | lychee | to 7.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33738 is a Stored Cross-Site Scripting (XSS) vulnerability in the Lychee photo management application affecting versions up to 7.5.2. The vulnerability occurs because the photo description field is stored and rendered without HTML sanitization in the RSS, Atom, and JSON feed templates. Specifically, the application uses Blade's unescaped output syntax to render the description, allowing any embedded HTML or JavaScript to execute in RSS readers.
An attacker with an authenticated account can inject malicious JavaScript into a photo description, which is then served publicly via the /feed endpoint without authentication. This enables execution of attacker-controlled scripts in the context of feed consumers.
The vulnerability arises from accepting unsanitized input in the photo description, storing it as-is, and rendering it unescaped in feed templates, leading to potential session theft, credential harvesting, or phishing attacks.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious JavaScript in the context of RSS readers or other feed consumers accessing the public /feed endpoint.
- Attackers with authenticated accounts can inject malicious scripts into photo descriptions.
- Any user consuming the public RSS, Atom, or JSON feeds can have malicious scripts executed in their feed readers.
- Potential consequences include session hijacking, credential theft, phishing attacks, and other malicious activities leveraging the executed scripts.
The vulnerability has a medium severity rating (CVSS v3.1 score 5.4) and requires user interaction and low privileges to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Lychee photo management application is running a version prior to 7.5.3 and if the /feed endpoint is publicly accessible without authentication.
To detect exploitation or presence of malicious payloads, you can inspect the content served by the /feed endpoint (RSS, Atom, JSON feeds) for unescaped HTML or JavaScript in the photo description fields.
Suggested commands include using curl or wget to fetch the feed and grep or jq to inspect the content:
- curl -s http://your-lychee-domain/feed | grep -i '<script\|onerror\|<img'
- curl -s http://your-lychee-domain/feed/json | jq '.items[].summary' | grep -i '<script\|onerror\|<img'
Additionally, reviewing the application version can be done by checking the version file or querying the application metadata to confirm if it is below 7.5.3.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Lychee application to version 7.5.3 or later, where the vulnerability is fixed.
The fix involves sanitizing the photo description field by converting Markdown to safe HTML and properly encoding JSON feed outputs to prevent execution of malicious scripts.
If upgrading immediately is not possible, restrict or disable public access to the /feed endpoint to prevent exposure of malicious content.
Additionally, review and sanitize existing photo descriptions that may contain malicious scripts.
Clear application caches after applying the fix or upgrade to ensure no vulnerable content is served from cache.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attacker-controlled JavaScript to be executed in publicly accessible RSS, Atom, and JSON feeds due to improper sanitization of photo descriptions. This can lead to session theft, credential harvesting, or phishing attacks against users consuming these feeds.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or data breaches.
Specifically, the risk of session hijacking and credential theft could lead to unauthorized access to personal data, violating principles of data confidentiality and integrity mandated by these regulations.
The fix implemented in version 7.5.3, which sanitizes feed content and properly encodes JSON output, helps mitigate these risks and supports compliance by reducing the attack surface for data exposure through XSS.