{"id":"CVE-2023-52082","summary":"Lychee is vulnerable to an SQL Injection in explain DB queries.","details":"Lychee is a free photo-management tool.  Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true. The defaults settings of Lychee are safe.  The patch is provided on version 5.0.2.  To work around this issue, disable SQL EXPLAIN logging.\n","aliases":["GHSA-rjwv-5j3m-p5x4"],"modified":"2026-04-02T09:45:16.707461Z","published":"2023-12-28T15:46:24.291Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52082.json","cwe_ids":["CWE-89"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52082.json"},{"type":"ADVISORY","url":"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-rjwv-5j3m-p5x4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52082"},{"type":"FIX","url":"https://github.com/LycheeOrg/Lychee/commit/33354a2ce7cf700cc4ee537b7b8b94dfc1e84ad4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lycheeorg/lychee","events":[{"introduced":"94f670ac8bb5ab60b9918946e3b9b7d315a0eba3"},{"fixed":"33354a2ce7cf700cc4ee537b7b8b94dfc1e84ad4"}]}],"versions":["v4.10.0","v4.11.0","v4.11.1","v4.12.0","v4.13.0","v4.9.3","v4.9.4","v5.0.0","v5.0.0-beta","v5.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52082.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}