LycheeOrg · ildyria · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025
diff --git a/docs/releases.md b/docs/releases.md
@@ -30,6 +30,27 @@
 
 ## Version 6
 
+### v6.10.4
+
+Released on Dec 11th, 2025
+
+#### Minor Reflected SSRF fix
+
+We have been reported (CVE incoming) that a minor SSRF vulnerability was still present in Lychee.
+The patch from v6.6.13 did not fully mitigate the issue because an edge case had not been considered.
+Validation is done on the initial URL; however, if the URL is redirected, the redirection target was not validated against local network etc.
+To fix this, we added a new _expert_ configuration option in the admin section which disables following redirects when importing from URL.
+
+
+A big thanks to TableBasse, midfirewear, and petouha for reporting this vulnerability to us.
+
+#### Most notable changes
+
+* Mitigate small SSRF by @ildyria in https://github.com/LycheeOrg/Lychee/pull/3861
+
+
+**Full Changelog**: https://github.com/LycheeOrg/Lychee/compare/v6.10.3...v6.10.4
+
 ### v6.10.3
 
 Released on Dec 4th, 2025