CVE-2026-35455

Severity CVSS v4.0:

Pending analysis

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

08/04/2026

Last modified:

15/04/2026

Description

immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

7.30

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:futo:immich::::::docker::*	2.6.0 (including)	2.7.0 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66