Your IP : 216.73.216.176

Current Path : /proc/self/root/proc/self/root/proc/thread-self/root/var/softaculous/lychee/
Upload File :
Current File : //proc/self/root/proc/self/root/proc/thread-self/root/var/softaculous/lychee/changelog.txt

v6.7.2
What's Changed
🏕 Features

    fix "command" or "a" independently selecting all items by @cdzombak in #3567
    Add *.sqlite-journal to .gitignore by @cdzombak in #3566
    Mark placeholder as NOT downloadable by @ildyria in #3575
    fix: On small screen, remove padding on left & right padding by @ildyria in #3573
    Fix icon showing up in details even when taken-at is null by @ildyria in #3574
    Add throttling to login api: 10 tentative per hour by @ildyria in #3539
    fix header on album view when search is active by @ildyria in #3581
    While processing in CLI, do not crash on large photos by @ildyria in #3533
    Remove useless prop by @ildyria in #3594
    Fix: access rights failing due to relationship missing by @ildyria in #3597
    Add .env variable to disable basic login and WebAuthn login by @ildyria in #3382
    feat: Add a small module for links by @ildyria in #3521

👒 Dependencies

    Bump the actions-deps group with 3 updates by @dependabot[bot] in #3569
    Bump the development-dependencies group with 5 updates by @dependabot[bot] in #3570
    Bump the production-dependencies group with 6 updates by @dependabot[bot] in #3571
    Bump the production-dependencies group with 2 updates by @dependabot[bot] in #3588
    Bump shivammathur/setup-php from 2.35.1 to 2.35.2 in the actions-deps group by @dependabot[bot] in #3590
    Bump friendsofphp/php-cs-fixer from 3.84.0 to 3.85.1 in the development-dependencies group by @dependabot[bot] in #3589

v6.7.1
🏕 Features

    Remove annoying check preventing migration on prod database by @ildyria in #3517
    fix: Fix album not refreshed when importing via url by @ildyria in #3523
    Add user-group permissions to query by @ildyria in #3425
    Translations update from LycheeOrg - Weblate by @ildyria in #3528
    Fix: sort RSS feed query reverse-chronologically by @cdzombak in #3546
    Improve scrolling UX when exiting photo lightbox by @cdzombak in #3550
    Fix broken Back button when viewing photo in lightbox by @cdzombak in #3551
    Explicitly set phpstan memory limit to 512MB by @cdzombak in #3561
    Allow disabling "swipe up/down to go back" and "scroll to move between photos" gestures by @cdzombak in #3549
    Include tag in RSS item descriptions by @cdzombak in #3547
    Version 6.7.1 by @ildyria in #3562

👒 Dependencies

    Bump the development-dependencies group with 7 updates by @dependabot[bot] in #3526
    Bump the development-dependencies group with 4 updates by @dependabot[bot] in #3535
    Bump the production-dependencies group with 5 updates by @dependabot[bot] in #3536
    Bump the production-dependencies group across 1 directory with 11 updates by @dependabot[bot] in #3537
    Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #3554
    Bump axios from 1.10.0 to 1.11.0 by @dependabot[bot] in #3559
    Bump vue-i18n from 11.1.9 to 11.1.10 by @dependabot[bot] in #3555
    Bump maennchen/zipstream-php from 3.1.2 to 3.2.0 in the production-dependencies group by @dependabot[bot] in #3553
    Bump the development-dependencies group with 5 updates by @dependabot[bot] in #3552
	
v6.7.0
🏕 Features

    Fix photo copy modal not working after a copy by @ildyria in #3508
    feat : Add ability to manage admins + define Lychee owner by @ildyria in #3506
    feat: Sync revamped, faster and improved by @ildyria in #3478
    Add flow backend by @ildyria in #3446
	
v6.6.13

Released on Jun 27, 2025
Security release: Server-Side Request Forgery (SSRF) vulnerability fix (3.5)

All versions of Lychee below 6.6.12 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability. This leads the attacker to be able to execute any GET request on your local network.
The vulnerability

The attack makes use of an unsanitized input on an fopen call during a photo import. This vulnerability would allow an attacker to effectively read any file on your internal network, including localhost.

In itself Lychee is not impacted. As in the attack will not compromise your photos, albums, etc. Furthermore, the attacker needs to have access to an account with upload rights.

However, this still allows the attacker to use Lychee as a proxy and interact within your internal network/localhost. For example, if you have a notification forwarding service with a GET webhook, that could be exploited to send a notification and start a phishing attack.
The Fix

We added multiple optional checks on the urls provided:

    validate that the url formatting
    validate that the scheme is http/https
    validate that the port if given is 80 or 443
    validate that if an ip is used it is not a local ip
    validate that localhost is not used.

All of them are enabled by default and can be disabled in the expert admin settings.
Other changes

    fix ♯3498 : Fix SSRF + bump version by @ildyria.

    new ♯3491 : Add optional gallery header image by @ildyria.

        We added the option to have a header image on top of the gallery page. You will find the configuration in the Landing page settings.

    fix ♯3497 : add some missing RTL support on timeline photo display by @ildyria.

        Improvement of the RTL support on timeline photo display.
?>