CVE-2026-33738: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LycheeOrg Lychee
CVE-2026-33738 is a medium-severity cross-site scripting (XSS) vulnerability in Lychee, an open-source photo-management tool. Versions prior to 7. 5. 3 fail to sanitize HTML in the photo description field, which is rendered unescaped in RSS, Atom, and JSON feeds via the publicly accessible /feed endpoint. This allows attackers to inject malicious JavaScript that executes in the context of any RSS reader consuming these feeds, without requiring authentication. The vulnerability is fixed in version 7. 5. 3. While no known exploits are reported in the wild, the flaw poses a risk of session hijacking, data theft, or other client-side attacks. Organizations using vulnerable Lychee versions should upgrade promptly and consider restricting feed access or sanitizing inputs as interim measures.
AI Analysis
Technical Summary
Lychee is a free, open-source photo-management application widely used for organizing and sharing images. In versions prior to 7.5.3, the application stores the photo description field without applying HTML sanitization. This field is then rendered using Blade's unescaped output syntax ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The feeds are accessible via the /feed endpoint, which is publicly accessible without requiring user authentication. Because of the lack of input neutralization, an attacker can inject arbitrary JavaScript code into the photo description. When a victim's RSS reader or any client consumes the feed, the malicious script executes in the context of that client, leading to a stored cross-site scripting (XSS) vulnerability categorized under CWE-79. The vulnerability was assigned CVE-2026-33738 and has a CVSS 4.8 (medium) score, reflecting its network accessibility and partial impact on confidentiality and integrity. The issue is resolved in Lychee version 7.5.3 by properly sanitizing the description field before rendering. No public exploits have been reported, but the vulnerability could be leveraged for session hijacking, credential theft, or delivering further malware payloads via client-side execution.
Potential Impact
The primary impact of this vulnerability is on the confidentiality and integrity of users consuming the RSS, Atom, or JSON feeds generated by vulnerable Lychee instances. Attackers can execute arbitrary JavaScript in the context of the feed consumer, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user. Since the /feed endpoint is publicly accessible without authentication, any attacker can exploit this without prior access. Organizations using Lychee for photo management and sharing may inadvertently expose their users or subscribers to client-side attacks. Although the vulnerability does not directly affect server availability or integrity, the reputational damage and potential data breaches resulting from successful exploitation can be significant. The scope is limited to users consuming the feeds, but given the public nature of the endpoint, the attack surface is broad. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat.
Mitigation Recommendations
The definitive mitigation is to upgrade Lychee to version 7.5.3 or later, where the description field is properly sanitized before rendering in feeds. Until upgrade is possible, administrators should consider disabling or restricting access to the /feed endpoint to trusted users or IP ranges to reduce exposure. Implementing web application firewalls (WAFs) with rules to detect and block suspicious script tags or payloads in feed requests can provide interim protection. Additionally, sanitizing or validating photo descriptions at input time to strip or encode HTML tags can reduce risk. RSS feed consumers should be cautious and use clients that implement script blocking or sandboxing. Monitoring logs for unusual feed access patterns or injection attempts can help detect exploitation attempts. Finally, educating users about the risks of consuming feeds from untrusted sources is advisable.
Affected Countries
United States, Germany, France, United Kingdom, Canada, Australia, Netherlands, Japan, South Korea, India
CVE-2026-33738: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LycheeOrg Lychee
Description
CVE-2026-33738 is a medium-severity cross-site scripting (XSS) vulnerability in Lychee, an open-source photo-management tool. Versions prior to 7. 5. 3 fail to sanitize HTML in the photo description field, which is rendered unescaped in RSS, Atom, and JSON feeds via the publicly accessible /feed endpoint. This allows attackers to inject malicious JavaScript that executes in the context of any RSS reader consuming these feeds, without requiring authentication. The vulnerability is fixed in version 7. 5. 3. While no known exploits are reported in the wild, the flaw poses a risk of session hijacking, data theft, or other client-side attacks. Organizations using vulnerable Lychee versions should upgrade promptly and consider restricting feed access or sanitizing inputs as interim measures.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Lychee is a free, open-source photo-management application widely used for organizing and sharing images. In versions prior to 7.5.3, the application stores the photo description field without applying HTML sanitization. This field is then rendered using Blade's unescaped output syntax ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The feeds are accessible via the /feed endpoint, which is publicly accessible without requiring user authentication. Because of the lack of input neutralization, an attacker can inject arbitrary JavaScript code into the photo description. When a victim's RSS reader or any client consumes the feed, the malicious script executes in the context of that client, leading to a stored cross-site scripting (XSS) vulnerability categorized under CWE-79. The vulnerability was assigned CVE-2026-33738 and has a CVSS 4.8 (medium) score, reflecting its network accessibility and partial impact on confidentiality and integrity. The issue is resolved in Lychee version 7.5.3 by properly sanitizing the description field before rendering. No public exploits have been reported, but the vulnerability could be leveraged for session hijacking, credential theft, or delivering further malware payloads via client-side execution.
Potential Impact
The primary impact of this vulnerability is on the confidentiality and integrity of users consuming the RSS, Atom, or JSON feeds generated by vulnerable Lychee instances. Attackers can execute arbitrary JavaScript in the context of the feed consumer, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user. Since the /feed endpoint is publicly accessible without authentication, any attacker can exploit this without prior access. Organizations using Lychee for photo management and sharing may inadvertently expose their users or subscribers to client-side attacks. Although the vulnerability does not directly affect server availability or integrity, the reputational damage and potential data breaches resulting from successful exploitation can be significant. The scope is limited to users consuming the feeds, but given the public nature of the endpoint, the attack surface is broad. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat.
Mitigation Recommendations
The definitive mitigation is to upgrade Lychee to version 7.5.3 or later, where the description field is properly sanitized before rendering in feeds. Until upgrade is possible, administrators should consider disabling or restricting access to the /feed endpoint to trusted users or IP ranges to reduce exposure. Implementing web application firewalls (WAFs) with rules to detect and block suspicious script tags or payloads in feed requests can provide interim protection. Additionally, sanitizing or validating photo descriptions at input time to strip or encode HTML tags can reduce risk. RSS feed consumers should be cautious and use clients that implement script blocking or sandboxing. Monitoring logs for unusual feed access patterns or injection attempts can help detect exploitation attempts. Finally, educating users about the risks of consuming feeds from untrusted sources is advisable.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:34:57.561Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c5973e3c064ed76fca3c27
Added to database: 3/26/2026, 8:29:50 PM
Last enriched: 3/26/2026, 8:44:49 PM
Last updated: 3/26/2026, 9:33:38 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.