Your IP : 216.73.216.176

Current Path : /proc/thread-self/root/proc/thread-self/root/var/softaculous/lychee/
Upload File :
Current File : //proc/thread-self/root/proc/thread-self/root/var/softaculous/lychee/changelog.txt

v6.7.1
🏕 Features

    Remove annoying check preventing migration on prod database by @ildyria in #3517
    fix: Fix album not refreshed when importing via url by @ildyria in #3523
    Add user-group permissions to query by @ildyria in #3425
    Translations update from LycheeOrg - Weblate by @ildyria in #3528
    Fix: sort RSS feed query reverse-chronologically by @cdzombak in #3546
    Improve scrolling UX when exiting photo lightbox by @cdzombak in #3550
    Fix broken Back button when viewing photo in lightbox by @cdzombak in #3551
    Explicitly set phpstan memory limit to 512MB by @cdzombak in #3561
    Allow disabling "swipe up/down to go back" and "scroll to move between photos" gestures by @cdzombak in #3549
    Include tag in RSS item descriptions by @cdzombak in #3547
    Version 6.7.1 by @ildyria in #3562

👒 Dependencies

    Bump the development-dependencies group with 7 updates by @dependabot[bot] in #3526
    Bump the development-dependencies group with 4 updates by @dependabot[bot] in #3535
    Bump the production-dependencies group with 5 updates by @dependabot[bot] in #3536
    Bump the production-dependencies group across 1 directory with 11 updates by @dependabot[bot] in #3537
    Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #3554
    Bump axios from 1.10.0 to 1.11.0 by @dependabot[bot] in #3559
    Bump vue-i18n from 11.1.9 to 11.1.10 by @dependabot[bot] in #3555
    Bump maennchen/zipstream-php from 3.1.2 to 3.2.0 in the production-dependencies group by @dependabot[bot] in #3553
    Bump the development-dependencies group with 5 updates by @dependabot[bot] in #3552
	
v6.7.0
🏕 Features

    Fix photo copy modal not working after a copy by @ildyria in #3508
    feat : Add ability to manage admins + define Lychee owner by @ildyria in #3506
    feat: Sync revamped, faster and improved by @ildyria in #3478
    Add flow backend by @ildyria in #3446
	
v6.6.13

Released on Jun 27, 2025
Security release: Server-Side Request Forgery (SSRF) vulnerability fix (3.5)

All versions of Lychee below 6.6.12 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability. This leads the attacker to be able to execute any GET request on your local network.
The vulnerability

The attack makes use of an unsanitized input on an fopen call during a photo import. This vulnerability would allow an attacker to effectively read any file on your internal network, including localhost.

In itself Lychee is not impacted. As in the attack will not compromise your photos, albums, etc. Furthermore, the attacker needs to have access to an account with upload rights.

However, this still allows the attacker to use Lychee as a proxy and interact within your internal network/localhost. For example, if you have a notification forwarding service with a GET webhook, that could be exploited to send a notification and start a phishing attack.
The Fix

We added multiple optional checks on the urls provided:

    validate that the url formatting
    validate that the scheme is http/https
    validate that the port if given is 80 or 443
    validate that if an ip is used it is not a local ip
    validate that localhost is not used.

All of them are enabled by default and can be disabled in the expert admin settings.
Other changes

    fix ♯3498 : Fix SSRF + bump version by @ildyria.

    new ♯3491 : Add optional gallery header image by @ildyria.

        We added the option to have a header image on top of the gallery page. You will find the configuration in the Landing page settings.

    fix ♯3497 : add some missing RTL support on timeline photo display by @ildyria.

        Improvement of the RTL support on timeline photo display.

v6.6.12

Released on Jun 26, 2025
Persian, Right to Left (RTL) support, and invite links!

This is a small release that brings a few new features. A few weeks ago we added support for Arabic, but that was without the proper reading direction support. By adding support for Persian, we also took the time to add a full Right to Left (RTL) integration. There might still be some light display issues, but we are confident our middle eastern users will appreciate this.

A bug that has been plaguing lychee for a while was that on mobile, the album header bar was disappearing when switching to the photo view. We completely rewrote the way the header bar is displayed and this is now fixed.

In version 6.6.6 we added a new registration page. This was either on or off, but there was no way to filter who could register. This release adds the ability to create invite links. As a result, you can keep the registration page disabled and create invite links that you can share with your friends.

    new ♯3419 : Add Persian language and fix LTR and RTL display by @ildyria.
    new ♯3435 : Do not log queries which are faster than 100ms by default by @ildyria.

        We added the .env variable DB_LOG_SQL_MIN_TIME which allows to you set the minimum time in ms for a query to be logged. Any SQL queries faster than this will be ignored. This is not something that is visible to the user, and more of a debugging/profiling feature.

    fixes ♯3494 : fix disappearing header bar on mobile by @ildyria.
    new ♯3433 : Add backend and frontend for simple invitation links by @ildyria.
    new ♯3458 : Add quick setup to run pgsql locally with tests by @ildyria.

        We added a small pgsql docker compose file with a postgresql database setup. This is not meant to be used in production, but it will allow us to easily run our test suite locally with a postgresql database.
?>