D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
var
/
softaculous
/
lychee
/
Filename :
changelog.txt
back
Copy
v6.7.2 What's Changed 🏕 Features fix "command" or "a" independently selecting all items by @cdzombak in #3567 Add *.sqlite-journal to .gitignore by @cdzombak in #3566 Mark placeholder as NOT downloadable by @ildyria in #3575 fix: On small screen, remove padding on left & right padding by @ildyria in #3573 Fix icon showing up in details even when taken-at is null by @ildyria in #3574 Add throttling to login api: 10 tentative per hour by @ildyria in #3539 fix header on album view when search is active by @ildyria in #3581 While processing in CLI, do not crash on large photos by @ildyria in #3533 Remove useless prop by @ildyria in #3594 Fix: access rights failing due to relationship missing by @ildyria in #3597 Add .env variable to disable basic login and WebAuthn login by @ildyria in #3382 feat: Add a small module for links by @ildyria in #3521 👒 Dependencies Bump the actions-deps group with 3 updates by @dependabot[bot] in #3569 Bump the development-dependencies group with 5 updates by @dependabot[bot] in #3570 Bump the production-dependencies group with 6 updates by @dependabot[bot] in #3571 Bump the production-dependencies group with 2 updates by @dependabot[bot] in #3588 Bump shivammathur/setup-php from 2.35.1 to 2.35.2 in the actions-deps group by @dependabot[bot] in #3590 Bump friendsofphp/php-cs-fixer from 3.84.0 to 3.85.1 in the development-dependencies group by @dependabot[bot] in #3589 v6.7.1 🏕 Features Remove annoying check preventing migration on prod database by @ildyria in #3517 fix: Fix album not refreshed when importing via url by @ildyria in #3523 Add user-group permissions to query by @ildyria in #3425 Translations update from LycheeOrg - Weblate by @ildyria in #3528 Fix: sort RSS feed query reverse-chronologically by @cdzombak in #3546 Improve scrolling UX when exiting photo lightbox by @cdzombak in #3550 Fix broken Back button when viewing photo in lightbox by @cdzombak in #3551 Explicitly set phpstan memory limit to 512MB by @cdzombak in #3561 Allow disabling "swipe up/down to go back" and "scroll to move between photos" gestures by @cdzombak in #3549 Include tag in RSS item descriptions by @cdzombak in #3547 Version 6.7.1 by @ildyria in #3562 👒 Dependencies Bump the development-dependencies group with 7 updates by @dependabot[bot] in #3526 Bump the development-dependencies group with 4 updates by @dependabot[bot] in #3535 Bump the production-dependencies group with 5 updates by @dependabot[bot] in #3536 Bump the production-dependencies group across 1 directory with 11 updates by @dependabot[bot] in #3537 Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #3554 Bump axios from 1.10.0 to 1.11.0 by @dependabot[bot] in #3559 Bump vue-i18n from 11.1.9 to 11.1.10 by @dependabot[bot] in #3555 Bump maennchen/zipstream-php from 3.1.2 to 3.2.0 in the production-dependencies group by @dependabot[bot] in #3553 Bump the development-dependencies group with 5 updates by @dependabot[bot] in #3552 v6.7.0 🏕 Features Fix photo copy modal not working after a copy by @ildyria in #3508 feat : Add ability to manage admins + define Lychee owner by @ildyria in #3506 feat: Sync revamped, faster and improved by @ildyria in #3478 Add flow backend by @ildyria in #3446 v6.6.13 Released on Jun 27, 2025 Security release: Server-Side Request Forgery (SSRF) vulnerability fix (3.5) All versions of Lychee below 6.6.12 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability. This leads the attacker to be able to execute any GET request on your local network. The vulnerability The attack makes use of an unsanitized input on an fopen call during a photo import. This vulnerability would allow an attacker to effectively read any file on your internal network, including localhost. In itself Lychee is not impacted. As in the attack will not compromise your photos, albums, etc. Furthermore, the attacker needs to have access to an account with upload rights. However, this still allows the attacker to use Lychee as a proxy and interact within your internal network/localhost. For example, if you have a notification forwarding service with a GET webhook, that could be exploited to send a notification and start a phishing attack. The Fix We added multiple optional checks on the urls provided: validate that the url formatting validate that the scheme is http/https validate that the port if given is 80 or 443 validate that if an ip is used it is not a local ip validate that localhost is not used. All of them are enabled by default and can be disabled in the expert admin settings. Other changes fix ♯3498 : Fix SSRF + bump version by @ildyria. new ♯3491 : Add optional gallery header image by @ildyria. We added the option to have a header image on top of the gallery page. You will find the configuration in the Landing page settings. fix ♯3497 : add some missing RTL support on timeline photo display by @ildyria. Improvement of the RTL support on timeline photo display.