????
Your IP : 216.73.216.79
v7.6.0 Latest
What's Changed
🏕 Features
Async reverse-geocoding, configurable rate limit, remove Wikimedia map provider by @ildyria in #4275
Fixes the wrong name of aspect_ratio 16by9 to 1byx9 in all translations. by @mhepp63 in #4279
Avoid spamming the server for auditories when we don't have the rights by @ildyria in #4283
Add admin check for uploads by @ildyria in #4282
Remove user constraint on decoding Limiter by @ildyria in #4292
feat(036): fix direct photo links in large paginated albums via ?page=N by @ildyria in #4294
fix: show Back Home button on tablets and phones by @ildyria in #4295
ldap is no longer required by @ildyria in #4297
Fixes the Czech translation, part II by @mhepp63 in #4303
feat(35) Chunked Archive Download by @ildyria in #4300
feat(34): add bulk album edit by @ildyria in #4296
feat: search other pages when photo not found in suggested page by @ildyria in #4311
feat: Add setting to disable embed endpoints and UI. by @ildyria in #4316
fix: Improved support for group authorization for Album delete & edit by @ildyria in #4317
feat(37): improved admin panel by @ildyria in #4312
fix: deduplicate photos in tag album listings by @ildyria in #4328
fix: optimistic UI update for album pin/unpin by @ildyria in #4329
feat(white-label): hide Lychee SE / version branding on login form and all public surfaces by @ildyria in #4335
fix: use file path instead of stream for PDF thumbnail generation by @mitpjones in #4334
Fix SSRF on TOCTOU by @ildyria in #4344
Bump frankenphp + fix flacky test by @ildyria in #4354
Fixes the Czech translation, part III by @mhepp63 in #4353
Disable response caching functionality by @ildyria in #4362
Fix not loading settings first page anymore by @ildyria in #4365
Update Markdown configuration to a more secure practice by @ildyria in #4377
Remove vulnerabilities by dropping some dependencies. by @ildyria in #4378
Add option to have timeline only at root level by @ildyria in #4383
Only call advisory after being logged in by @ildyria in #4384
Fix hidden albums leaking via "present in albums" list by @ildyria in #4387
Display Camera Make in PhotoDetails Exif Data by @rschumm in #4389
Feature 041: supply title/description at upload time; return expected_id in response by @ildyria in #4385
feat(webshop): add print & pixel size support (feature 043) by @ildyria in #4388
Add option to disable the switch photo effect by @ildyria in #4406
Add Feature 042 webshop order item display by @ildyria in #4411
Add option to disable the switch photo effect by @ildyria in #4410
Add better feedback on upload failures by @ildyria in #4412
Fix mb strings for our chinese users by @ildyria in #4415
Pin -rc releases by @ildyria in #4413
Add support for toggle select on mobile view by @ildyria in #4416
Add support for uploading folders by drag&drop by @ildyria in #4417
Avoid further complaint on api/v2/diagnostics endpoint by @ildyria in #4419
Do not re-run full CI if not necessary on PR by @ildyria in #4426
Add middleware to check if feature is enabled by @ildyria in #4428
Version 7.6.0 by @ildyria in #4429
👒 Dependencies
chore(deps): bump axios from 1.14.0 to 1.15.0 by @dependabot[bot] in #4277
chore(deps): bump phpseclib/phpseclib from 3.0.50 to 3.0.51 by @dependabot[bot] in #4281
chore(deps): bump the actions-deps group with 4 updates by @dependabot[bot] in #4291
chore(deps): bump the production-dependencies group with 6 updates by @dependabot[bot] in #4287
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot[bot] in #4293
chore(deps-dev): bump the development-dependencies group with 6 updates by @dependabot[bot] in #4290
chore(deps): bump the production-dependencies group with 3 updates by @dependabot[bot] in #4289
chore(deps-dev): bump composer/composer from 2.9.5 to 2.9.7 by @dependabot[bot] in #4298
chore(deps): bump the actions-deps group with 3 updates by @dependabot[bot] in #4310
chore(deps): bump the production-dependencies group with 6 updates by @dependabot[bot] in #4306
chore(deps-dev): bump the development-dependencies group with 4 updates by @dependabot[bot] in #4309
chore(deps): bump the production-dependencies group with 3 updates by @dependabot[bot] in #4308
chore(deps): bump the production-dependencies group with 11 updates by @dependabot[bot] in #4322
chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 in the actions-deps group by @dependabot[bot] in #4326
chore(deps-dev): bump the development-dependencies group with 3 updates by @dependabot[bot] in #4325
chore(deps): bump the production-dependencies group across 1 directory with 7 updates by @dependabot[bot] in #4327
chore(deps-dev): bump the development-dependencies group across 1 directory with 11 updates by @dependabot[bot] in #4323
chore(deps): bump the production-dependencies group with 3 updates by @dependabot[bot] in #4338
chore(deps-dev): bump the development-dependencies group with 4 updates by @dependabot[bot] in #4337
chore(deps-dev): bump phpstan/phpstan from 2.1.51 to 2.1.54 in the development-dependencies group by @dependabot[bot] in #4339
chore(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 in the actions-deps group by @dependabot[bot] in #4340
chore(deps): bump axios from 1.15.2 to 1.16.0 in the production-dependencies group by @dependabot[bot] in #4336
chore(deps): bump the actions-deps group with 2 updates by @dependabot[bot] in #4348
chore(deps-dev): bump the development-dependencies group with 5 updates by @dependabot[bot] in #4347
chore(deps): bump the production-dependencies group across 1 directory with 10 updates by @dependabot[bot] in #4352
chore(deps): bump the production-dependencies group across 1 directory with 5 updates by @dependabot[bot] in #4356
chore(deps): bump the production-dependencies group with 4 updates by @dependabot[bot] in #4358
chore(deps-dev): bump the development-dependencies group with 3 updates by @dependabot[bot] in #4360
chore(deps): bump the actions-deps group with 3 updates by @dependabot[bot] in #4361
chore(deps-dev): bump the development-dependencies group with 5 updates by @dependabot[bot] in #4359
chore(deps-dev): bump composer/composer from 2.9.7 to 2.9.8 by @dependabot[bot] in #4363
chore(deps): bump js-cookie from 3.0.5 to 3.0.7 by @dependabot[bot] in #4366
chore(deps-dev): bump qs from 6.15.1 to 6.15.2 by @dependabot[bot] in #4367
chore(deps): bump the actions-deps group with 5 updates by @dependabot[bot] in #4374
chore(deps): bump vite from 8.0.13 to 8.0.14 in the production-dependencies group by @dependabot[bot] in #4370
chore(deps-dev): bump the development-dependencies group with 5 updates by @dependabot[bot] in #4371
chore(deps-dev): bump rector/rector from 2.4.3 to 2.4.4 in the development-dependencies group by @dependabot[bot] in #4373
chore(deps): bump the production-dependencies group with 5 updates by @dependabot[bot] in #4372
chore(deps-dev): bump symfony/dom-crawler from 8.0.8 to 8.0.12 by @dependabot[bot] in #4379
chore(deps): bump symfony/polyfill-intl-idn from 1.37.0 to 1.38.1 by @dependabot[bot] in #4381
chore(deps): bump the production-dependencies group with 5 updates by @dependabot[bot] in #4391
chore(deps-dev): bump the development-dependencies group with 4 updates by @dependabot[bot] in #4393
chore(deps): bump the actions-deps group with 2 updates by @dependabot[bot] in #4395
chore(deps): bump the production-dependencies group with 2 updates by @dependabot[bot] in #4392
chore(deps-dev): bump the development-dependencies group with 5 updates by @dependabot[bot] in #4394
chore(deps): bump the actions-deps group across 1 directory with 3 updates by @dependabot[bot] in #4405
chore(deps): bump the production-dependencies group across 1 directory with 4 updates by @dependabot[bot] in #4409
chore(deps-dev): bump the development-dependencies group across 1 directory with 4 updates by @dependabot[bot] in #4404
chore(deps-dev): bump friendsofphp/php-cs-fixer from 3.95.5 to 3.95.7 by @dependabot[bot] in #4423
chore(deps): bump form-data from 4.0.5 to 4.0.6 by @dependabot[bot] in #4424
chore(deps-dev): bump the development-dependencies group across 1 directory with 10 updates by @dependabot[bot] in #4420
chore(deps): bump the production-dependencies group across 1 directory with 10 updates by @dependabot[bot] in #4421
chore(deps): bump the production-dependencies group with 3 updates by @dependabot[bot] in #4422
v7.5.3
Released on Mar 23rd, 2026
Fix XSS in RSS feed
Another day, another patch. A bit depressing... but so is the life of a maintainer. This patch fixes a potential XSS vulnerability in the RSS feed. The issue was that the description of the photos was not properly escaped, allowing for potential XSS attacks if they contained malicious code.
fix ♯4218 : Fix XSS in /feed by @ildyria.
new ♯4217 : Added and improved German translations by @hyazinthh.
Once again, thanks to @morimori-dev for reporting the XSS issue.
New Contributors
@hyazinthh made their first contribution in https://github.com/LycheeOrg/Lychee/pull/4217
v7.5.2
Released on Mar 22nd, 2026
Support camera capture and hotfix
In addition to loading pictures from memory, we now also support camera capture in the front-end. This allows users to take pictures directly and instantly upload them to Lychee, a feature that will be welcomed by our mobile users.
new ♯4213 : feat: add Camera Capture feature (Feature 029) by @mitpjones.
fix ♯4214 : Fix DNS resolving to local IP by @ildyria.
Fixes SSRF bypass via DNS rebinding. Read more here
Thanks to @morimori-dev for reporting the SSRF issue.
New Contributors
@mitpjones made their first contribution in https://github.com/LycheeOrg/Lychee/pull/4209
v7.5.1
Released on Mar 21st, 2026
Hotfixes
fix ♯4208 : Make LDAP optional by @ildyria.
Due to popular demand, we made the LDAP extension optional. If you do not have it installed, the LDAP features will be disabled, but the rest of the app will work as expected. This is especially useful for users who do not need LDAP support and want to avoid installing the extension.
fix ♯4207 : Fix tag album ordering by @ildyria.
Photos in Tag albums were not ordered. Fixed.
fix ♯4205 : Fix SSRF loopback edge case by @ildyria.
Read more here
Thanks to @offensiveee for reporting the SSRF issue.