Please don't tell anyone about this commit. It's a secret.

Dockerfile

@@ -89,6 +89,7 @@
 	ghostscript \
     # Update with respect to vulnerabilities detected with Trivy
     libgssapi-krb5-2 \
+    libssh2-1t64 \
 	&& sed -i '/<\/policymap>/i \  <policy domain="coder" rights="read|write" pattern="PDF" \/>' /etc/ImageMagick-7/policy.xml \
     && install-php-extensions \
     pdo_mysql \
@@ -120,7 +121,7 @@
 COPY --from=node --chown=www-data:www-data /app/public/embed ./public/embed
 
 # Ensure storage and bootstrap/cache are writable with minimal permissions
 RUN mkdir -p storage/framework/cache \
     storage/framework/sessions \
     storage/framework/views \
     storage/logs \

app/Http/Controllers/SecurePathController.php

@@ -24,6 +24,8 @@
 use Illuminate\Support\Facades\Crypt;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
+use Safe\Exceptions\FilesystemException;
+use function Safe\realpath;
 
 /**
  * Controller responsible for serving files securely.
@@ -48,10 +50,6 @@ public function __invoke(SecurePathRequest $request, ?string $path)
 			throw new InvalidSignatureException();
 		}
 
-		if (is_null($path)) {
-			throw new WrongPathException();
-		}
-
 		if ($request->configs()->getValueAsBool('secure_image_link_enabled')) {
 			try {
 				$path = Crypt::decryptString($path);
@@ -60,7 +58,14 @@ public function __invoke(SecurePathRequest $request, ?string $path)
 			}
 		}
 
-		$file = Storage::disk(StorageDiskType::LOCAL->value)->path($path);
+		$this->prevalidation_path($path);
+
+		try {
+			$file = realpath(Storage::disk(StorageDiskType::LOCAL->value)->path($path));
+		} catch (FilesystemException) {
+			throw new WrongPathException();
+		}
+
 		$valid_path_start = Storage::disk(StorageDiskType::LOCAL->value)->path('');
 		if (!str_starts_with($file, $valid_path_start)) {
 			Log::error('Invalid path for secure path request.', [
@@ -104,4 +109,26 @@ private function signatureHasNotExpired(Request $request)
 
 		return !($expires !== null && $expires !== '' && Carbon::now()->getTimestamp() > $expires);
 	}
+
+	/**
+	 * Validate the path.
+	 *
+	 * @param string|null $path
+	 *
+	 * @return void
+	 *
+	 * @throws WrongPathException
+	 */
+	private function prevalidation_path(?string $path): void
+	{
+		if (is_null($path)) {
+			throw new WrongPathException();
+		}
+
+		foreach (['..', '%2e', '%2f', '\\'] as $invalid_sequence) {
+			if (str_contains($path, $invalid_sequence)) {
+				throw new PathTraversalException('Invalid path for secure path request.');
+			}
+		}
+	}
 }

database/migrations/2026_06_26_173103_bump_version070604.php

@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\DB;
+use Symfony\Component\Console\Output\ConsoleOutput;
+use Symfony\Component\Console\Output\ConsoleSectionOutput;
+
+return new class() extends Migration {
+	private ConsoleOutput $output;
+	private ConsoleSectionOutput $msg_section;
+
+	public function __construct()
+	{
+		$this->output = new ConsoleOutput();
+		$this->msg_section = $this->output->section();
+	}
+
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070604']);
+		try {
+			Artisan::call('cache:clear');
+		} catch (\Throwable $e) {
+			$this->msg_section->writeln('<error>Warning:</error> Failed to clear cache for version 7.6.4');
+
+			return;
+		}
+		$this->msg_section->writeln('<info>Info:</info> Cleared cache for version 7.6.4');
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070603']);
+	}
+};

tests/Feature_v2/SecureImageLinksTest.php

@@ -121,4 +121,13 @@ public function testDisabledSecureImageLinkIsForbidden(): void
 		$response = $this->get($broken_url);
 		$this->assertUnauthorized($response);
 	}
+
+	public function testPathTraversalIsForbidden(): void
+	{
+		$this->setTemporaryLink();
+		$path = URL::route('image', ['path' => 'c3/3d/c661c594a5a781cd44db06828783.png']);
+		$traversal_path = str_replace('c3/3d/c661c594a5a781cd44db06828783.png', '../.env', $path);
+		$response = $this->actingAs($this->userMayUpload1)->get($traversal_path);
+		$this->assertStatus($response, 418);
+	}
 }

version.md

@@ -1 +1 @@
-7.6.3
+7.6.4