CVE-2026-27210
Stored XSS in Pannellum Hot Spot Attributes Allows Remote Code Execution
Publication date: 2026-02-21
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pannellum | pannellum | From 2.5.0 (inc) to 2.5.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27210 is a Cross-Site Scripting (XSS) vulnerability in the Pannellum panorama viewer versions 2.5.0 through 2.5.6. The issue arises because the hot spot attributes configuration property allows any attribute to be set, including HTML event handler attributes, without proper filtering.
This flaw enables attackers to inject and execute arbitrary JavaScript code by using malicious JSON configuration files. These files can be loaded by the standalone viewer HTML file or other uses of untrusted JSON configs, bypassing protections like the escapeHTML parameter.
Exploitation requires no user interaction beyond visiting a URL that points to a malicious config file, as certain events trigger automatically. Successful exploitation can lead to arbitrary script execution, such as replacing the page content and impersonating the hosting website.
The vulnerability was fixed in version 2.5.7 by filtering out event handler attributes and sanitizing URLs to prevent script injection.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary JavaScript code on websites using vulnerable versions of Pannellum by supplying malicious JSON configuration files.
The impact includes the ability to replace the contents of the affected webpage with arbitrary content, potentially impersonating the legitimate website.
Because exploitation requires no user interaction beyond visiting a malicious URL, users can be affected simply by accessing a crafted link.
While the CVSS score rates this as moderate severity (5.3), the vulnerability does not directly compromise system confidentiality, integrity, or availability, but it can lead to low impact on confidentiality and integrity through script execution.
Mitigations include upgrading to version 2.5.7 or later, setting Content-Security-Policy headers to block inline event handlers, and avoiding hosting the vulnerable viewer on domains sharing authentication cookies.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if your system is running Pannellum versions 2.5.0 through 2.5.6 and if it uses untrusted JSON configuration files that set hot spot attributes without proper filtering.'}, {'type': 'paragraph', 'content': 'You can check the version of Pannellum in use by inspecting the package version or the pannellum.htm file version.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation or presence of malicious config files, you can search for JSON config files containing suspicious event handler attributes (attributes starting with "on") or unsafe href values.'}, {'type': 'paragraph', 'content': 'Example commands to help detect vulnerable versions or malicious configs might include:'}, {'type': 'list_item', 'content': 'Check Pannellum version in your project (if using npm): `npm list pannellum`'}, {'type': 'list_item', 'content': 'Search for JSON config files containing event handler attributes: `grep -r -i \'"on\' /path/to/configs`'}, {'type': 'list_item', 'content': "Search for suspicious href attributes in JSON configs: `grep -r -i 'href' /path/to/configs`"}, {'type': 'list_item', 'content': 'Monitor web server logs for requests to standalone viewer URLs with unusual query parameters or config file references that could trigger the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading Pannellum to version 2.5.7 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, you can mitigate the vulnerability by setting the Content-Security-Policy (CSP) header to block execution of inline event handlers.'}, {'type': 'list_item', 'content': "Set the HTTP header: `Content-Security-Policy: script-src-attr 'none'` to prevent execution of inline event handlers."}, {'type': 'list_item', 'content': 'Avoid hosting pannellum.htm on domains that share cookies with user authentication to reduce the risk of XSS attacks affecting authenticated sessions.'}] [1]