{"id":"CVE-2026-33738","summary":"Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)","details":"Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item-\u003esummary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.","aliases":["GHSA-5574-7f3r-hm9j"],"modified":"2026-04-02T13:41:33.463422Z","published":"2026-03-26T20:25:44.648Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33738.json","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33738.json"},{"type":"FIX","url":"https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c"},{"type":"FIX","url":"https://github.com/LycheeOrg/Lychee/pull/4218"},{"type":"WEB","url":"https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3"},{"type":"ADVISORY","url":"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33738"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lycheeorg/lychee","events":[{"introduced":"0"},{"fixed":"d2e2606a0223d5a384d5b806db1b31eb587adc5c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.5.3"}]}}],"versions":["v4.0.0","v4.0.0-alpha.1","v4.0.0-beta.1","v4.0.0-beta.2","v4.0.1","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.1.0","v4.10.0","v4.11.0","v4.11.1","v4.12.0","v4.13.0","v4.2.0","v4.2.1","v4.2.2","v4.3.0","v4.3.4","v4.3.5","v4.3.6","v4.4.0","v4.5.0","v4.5.1","v4.5.2","v4.5.3","v4.6.0","v4.6.0-RC","v4.6.0-RC2","v4.6.0-RC3","v4.6.1","v4.6.1-RC1","v4.6.1-RC2","v4.6.2","v4.6.2-RC1","v4.6.2-RC2","v4.6.3-RC1","v4.6.4","v4.6.5","v4.7.0","v4.7.1","v4.7.2","v4.7.3","v4.7.4","v4.8.0","v4.8.1","v4.9.0","v4.9.1","v4.9.2","v4.9.3","v4.9.3-RC","v4.9.4","v5.0.0","v5.0.0-beta","v5.0.1","v5.0.2","v5.0.3","v5.1.0","v5.1.1","v5.1.2","v5.2.0","v5.2.1","v5.2.2","v5.3.0","v5.3.1","v5.4.0","v5.5.0","v5.5.1","v6.0.0","v6.0.1","v6.1.0","v6.1.1","v6.1.2","v6.10.0","v6.10.1","v6.10.2","v6.10.3","v6.10.4","v6.2.0","v6.3.0","v6.3.1","v6.3.2","v6.3.3","v6.3.4","v6.3.5","v6.4.0","v6.4.1","v6.4.2","v6.5.0","v6.5.1","v6.5.2","v6.5.3","v6.6.0","v6.6.1","v6.6.10","v6.6.11","v6.6.12","v6.6.13","v6.6.14","v6.6.2","v6.6.3","v6.6.4","v6.6.5","v6.6.6","v6.6.7","v6.6.8","v6.6.9","v6.7.0","v6.7.1","v6.7.2","v6.8.0","v6.8.1","v6.9.0","v6.9.1","v6.9.2","v6.9.3","v6.9.4","v7.0.0","v7.0.1","v7.1.0","v7.1.1","v7.1.2","v7.2.0","v7.2.1","v7.3.0","v7.3.1","v7.3.2","v7.3.3","v7.4.0","v7.4.1","v7.4.2","v7.5.0","v7.5.1","v7.5.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33738.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N"}]}