| Server IP : 104.21.93.192 / Your IP : 216.73.216.113 Web Server : LiteSpeed System : Linux premium900.web-hosting.com 4.18.0-553.54.1.lve.el8.x86_64 #1 SMP Wed Jun 4 13:01:13 UTC 2025 x86_64 User : redwjova ( 1790) PHP Version : 8.1.32 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /proc/thread-self/root/proc/self/root/proc/self/root/var/softaculous/lychee/ |
Upload File : |
v6.7.1
🏕 Features
Remove annoying check preventing migration on prod database by @ildyria in #3517
fix: Fix album not refreshed when importing via url by @ildyria in #3523
Add user-group permissions to query by @ildyria in #3425
Translations update from LycheeOrg - Weblate by @ildyria in #3528
Fix: sort RSS feed query reverse-chronologically by @cdzombak in #3546
Improve scrolling UX when exiting photo lightbox by @cdzombak in #3550
Fix broken Back button when viewing photo in lightbox by @cdzombak in #3551
Explicitly set phpstan memory limit to 512MB by @cdzombak in #3561
Allow disabling "swipe up/down to go back" and "scroll to move between photos" gestures by @cdzombak in #3549
Include tag in RSS item descriptions by @cdzombak in #3547
Version 6.7.1 by @ildyria in #3562
👒 Dependencies
Bump the development-dependencies group with 7 updates by @dependabot[bot] in #3526
Bump the development-dependencies group with 4 updates by @dependabot[bot] in #3535
Bump the production-dependencies group with 5 updates by @dependabot[bot] in #3536
Bump the production-dependencies group across 1 directory with 11 updates by @dependabot[bot] in #3537
Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #3554
Bump axios from 1.10.0 to 1.11.0 by @dependabot[bot] in #3559
Bump vue-i18n from 11.1.9 to 11.1.10 by @dependabot[bot] in #3555
Bump maennchen/zipstream-php from 3.1.2 to 3.2.0 in the production-dependencies group by @dependabot[bot] in #3553
Bump the development-dependencies group with 5 updates by @dependabot[bot] in #3552
v6.7.0
🏕 Features
Fix photo copy modal not working after a copy by @ildyria in #3508
feat : Add ability to manage admins + define Lychee owner by @ildyria in #3506
feat: Sync revamped, faster and improved by @ildyria in #3478
Add flow backend by @ildyria in #3446
v6.6.13
Released on Jun 27, 2025
Security release: Server-Side Request Forgery (SSRF) vulnerability fix (3.5)
All versions of Lychee below 6.6.12 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability. This leads the attacker to be able to execute any GET request on your local network.
The vulnerability
The attack makes use of an unsanitized input on an fopen call during a photo import. This vulnerability would allow an attacker to effectively read any file on your internal network, including localhost.
In itself Lychee is not impacted. As in the attack will not compromise your photos, albums, etc. Furthermore, the attacker needs to have access to an account with upload rights.
However, this still allows the attacker to use Lychee as a proxy and interact within your internal network/localhost. For example, if you have a notification forwarding service with a GET webhook, that could be exploited to send a notification and start a phishing attack.
The Fix
We added multiple optional checks on the urls provided:
validate that the url formatting
validate that the scheme is http/https
validate that the port if given is 80 or 443
validate that if an ip is used it is not a local ip
validate that localhost is not used.
All of them are enabled by default and can be disabled in the expert admin settings.
Other changes
fix ♯3498 : Fix SSRF + bump version by @ildyria.
new ♯3491 : Add optional gallery header image by @ildyria.
We added the option to have a header image on top of the gallery page. You will find the configuration in the Landing page settings.
fix ♯3497 : add some missing RTL support on timeline photo display by @ildyria.
Improvement of the RTL support on timeline photo display.
v6.6.12
Released on Jun 26, 2025
Persian, Right to Left (RTL) support, and invite links!
This is a small release that brings a few new features. A few weeks ago we added support for Arabic, but that was without the proper reading direction support. By adding support for Persian, we also took the time to add a full Right to Left (RTL) integration. There might still be some light display issues, but we are confident our middle eastern users will appreciate this.
A bug that has been plaguing lychee for a while was that on mobile, the album header bar was disappearing when switching to the photo view. We completely rewrote the way the header bar is displayed and this is now fixed.
In version 6.6.6 we added a new registration page. This was either on or off, but there was no way to filter who could register. This release adds the ability to create invite links. As a result, you can keep the registration page disabled and create invite links that you can share with your friends.
new ♯3419 : Add Persian language and fix LTR and RTL display by @ildyria.
new ♯3435 : Do not log queries which are faster than 100ms by default by @ildyria.
We added the .env variable DB_LOG_SQL_MIN_TIME which allows to you set the minimum time in ms for a query to be logged. Any SQL queries faster than this will be ignored. This is not something that is visible to the user, and more of a debugging/profiling feature.
fixes ♯3494 : fix disappearing header bar on mobile by @ildyria.
new ♯3433 : Add backend and frontend for simple invitation links by @ildyria.
new ♯3458 : Add quick setup to run pgsql locally with tests by @ildyria.
We added a small pgsql docker compose file with a postgresql database setup. This is not meant to be used in production, but it will allow us to easily run our test suite locally with a postgresql database.