### [CVE-2025-50202](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50202)
![](https://img.shields.io/static/v1?label=Product&message=Lychee&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%206.6.6%2C%20%3C%206.6.10%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-22%3A%20Improper%20Limitation%20of%20a%20Pathname%20to%20a%20Restricted%20Directory%20('Path%20Traversal')&color=brightgreen)

### Description

Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue has been patched in version 6.6.10.

### POC

#### Reference
- https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-6rj9-gm78-vhf9

#### Github
No PoCs found on GitHub currently.