It looks like they intend everything to be in the webroot, which is a problem in and of itself. Setting everything in the uploads folder to be executable without any .htaccess directives to prevent that seems like a potential issue. If they're not validating images (properly) or sandboxing uploads, or thinking about mitigating directory traversal attacks, then there could be issues with remote code execution.
> https://github.com/electerious/Lychee/blob/master/docs/md/In.... I don't think this is ok