CVE-2026-35455
Stored XSS in Immich Panorama Viewer Enables Data Theft
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| futo | immich | From 2.6.0 (inc) to 2.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the immich-server to version 2.7.0 or later where the issue is fixed.
- Apply proper sanitization of OCR text before rendering it in the panorama viewer.
- Avoid using innerHTML with unsanitized input in the panorama viewer component.
- Strengthen the Content Security Policy (CSP) to disallow unsafe inline scripts, as the default CSP includes 'script-src unsafe-inline' which is insufficient.
Can you explain this vulnerability to me?
CVE-2026-35455 is a Stored Cross-Site Scripting (XSS) vulnerability in the immich application's 360Β° panorama viewer component prior to version 2.7.0.
The vulnerability occurs because the panorama viewer renders OCR-extracted text from uploaded equirectangular images directly into the browser's DOM using innerHTML without proper sanitization.
An authenticated user can upload a malicious panorama image containing crafted text that, when processed by OCR and viewed by another user with the OCR overlay enabled, executes arbitrary JavaScript in the victim's browser.
This happens because the OCR text is inserted into an HTML template string and rendered unsafely, allowing attackers to inject scripts.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Session hijacking through persistent API key creation.
- Exfiltration of private photos.
- Unauthorized access to GPS location history.
- Unauthorized access to biometric face data.
The attack requires the victim to enable the OCR overlay and interact with the malicious text region, but sharing a malicious panorama via a shared album is sufficient to trigger the attack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your immich-server Docker package is running a vulnerable version (2.6.x or earlier) and if the 360Β° panorama viewer component is in use with the OCR overlay enabled.
Since the vulnerability involves stored XSS via crafted equirectangular images uploaded by authenticated users, detection involves checking for suspicious panorama images containing malicious scripts in the OCR text.
There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user to execute arbitrary JavaScript in another user's browser, leading to session hijacking, private photo exfiltration, and unauthorized access to GPS location history and biometric face data.
Such unauthorized access and data exfiltration could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, this vulnerability poses significant risks to compliance with these standards by potentially exposing personal data and biometric information without user consent or adequate protection.