1. Lychee Photo Management Tool Exposed Private Album Sharing Metadata to Unauthorized Users
A critical access control flaw in the Lychee photo management software allowed authenticated users to view the private sharing permissions of every album on an instance. The vulnerability, tracked as CVE-2026-39957, stemmed from a SQL operator-precedence bug in the `SharingController::listAll()` function. This bug caus...