CVE-2026-33738
Received Received - Intake
Stored XSS in Lychee Photo Description Allows Remote Script Execution

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33738
EUVD
EUVD-2026-16417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lycheeorg lychee to 7.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attacker-controlled JavaScript to be executed in publicly accessible RSS, Atom, and JSON feeds due to improper sanitization of photo descriptions. This can lead to session theft, credential harvesting, or phishing attacks against users consuming these feeds.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or data breaches.

Specifically, the risk of session hijacking and credential theft could lead to unauthorized access to personal data, violating principles of data confidentiality and integrity mandated by these regulations.

The fix implemented in version 7.5.3, which sanitizes feed content and properly encodes JSON output, helps mitigate these risks and supports compliance by reducing the attack surface for data exposure through XSS.

Executive Summary

CVE-2026-33738 is a Stored Cross-Site Scripting (XSS) vulnerability in the Lychee photo management application affecting versions up to 7.5.2. The vulnerability occurs because the photo description field is stored and rendered without HTML sanitization in the RSS, Atom, and JSON feed templates. Specifically, the application uses Blade's unescaped output syntax to render the description, allowing any embedded HTML or JavaScript to execute in RSS readers.

An attacker with an authenticated account can inject malicious JavaScript into a photo description, which is then served publicly via the /feed endpoint without authentication. This enables execution of attacker-controlled scripts in the context of feed consumers.

The vulnerability arises from accepting unsanitized input in the photo description, storing it as-is, and rendering it unescaped in feed templates, leading to potential session theft, credential harvesting, or phishing attacks.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious JavaScript in the context of RSS readers or other feed consumers accessing the public /feed endpoint.

  • Attackers with authenticated accounts can inject malicious scripts into photo descriptions.
  • Any user consuming the public RSS, Atom, or JSON feeds can have malicious scripts executed in their feed readers.
  • Potential consequences include session hijacking, credential theft, phishing attacks, and other malicious activities leveraging the executed scripts.

The vulnerability has a medium severity rating (CVSS v3.1 score 5.4) and requires user interaction and low privileges to exploit.

Detection Guidance

This vulnerability can be detected by checking if the Lychee photo management application is running a version prior to 7.5.3 and if the /feed endpoint is publicly accessible without authentication.

To detect exploitation or presence of malicious payloads, you can inspect the content served by the /feed endpoint (RSS, Atom, JSON feeds) for unescaped HTML or JavaScript in the photo description fields.

Suggested commands include using curl or wget to fetch the feed and grep or jq to inspect the content:

  • curl -s http://your-lychee-domain/feed | grep -i '<script\|onerror\|<img'
  • curl -s http://your-lychee-domain/feed/json | jq '.items[].summary' | grep -i '<script\|onerror\|<img'

Additionally, reviewing the application version can be done by checking the version file or querying the application metadata to confirm if it is below 7.5.3.

Mitigation Strategies

The immediate mitigation step is to upgrade the Lychee application to version 7.5.3 or later, where the vulnerability is fixed.

The fix involves sanitizing the photo description field by converting Markdown to safe HTML and properly encoding JSON feed outputs to prevent execution of malicious scripts.

If upgrading immediately is not possible, restrict or disable public access to the /feed endpoint to prevent exposure of malicious content.

Additionally, review and sanitize existing photo descriptions that may contain malicious scripts.

Clear application caches after applying the fix or upgrade to ensure no vulnerable content is served from cache.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart