Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: tests.testers.lycheeLinkCheck.network

Found 3 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-39957
created 5 days, 9 hours ago
Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.

Affected products

Lychee
  • ==< 7.5.4

Matching in nixpkgs

pkgs.lychee

Fast, async, stream-based link checker written in Rust

pkgs.lycheeslicer

All-in-one 3D slicer for resin and FDM printers

  • nixos-unstable 7.6.3
    • nixpkgs-unstable 7.6.3
    • nixos-unstable-small 7.6.3
  • nixos-25.11 -
    • nixos-25.11-small 7.5.0
    • nixpkgs-25.11-darwin 7.5.0

Package maintainers

Untriaged
Permalink CVE-2026-33644
created 2 weeks, 5 days ago
Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.

Affected products

Lychee
  • ==< 7.5.2

Matching in nixpkgs

pkgs.lychee

Fast, async, stream-based link checker written in Rust

pkgs.lycheeslicer

All-in-one 3D slicer for resin and FDM printers

Package maintainers

Untriaged
Permalink CVE-2026-33537
created 2 weeks, 5 days ago
Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.

Affected products

Lychee
  • ==< 7.5.1

Matching in nixpkgs

pkgs.lychee

Fast, async, stream-based link checker written in Rust

pkgs.lycheeslicer

All-in-one 3D slicer for resin and FDM printers

Package maintainers