{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35455", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-08T18:31:27.418Z", "dateUpdated": "2026-04-08T18:31:27.418Z"}, "containers": {"cna": {"title": "immich has Stored XSS via OCR Text in 360\u00b0 Panorama Viewer", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66"}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"version": "< 2.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:31:27.418Z"}, "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360\u00b0 panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0."}], "source": {"advisory": "GHSA-9qx4-67jm-cc66", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360\u00b0 panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0."}], "id": "CVE-2026-35455", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:24.357", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "immich", "source": "cna", "vendor": "immich-app"}, "product": "immich", "vendor": "immich-app"}], "analysis": {"en": {"generated_at": "2026-04-08T20:35:39.759801+00:00", "value": {"mitigation_remediation": ["Upgrade immich to version 2.7.0 or later to remove the flaw", "If an upgrade is not immediately feasible, disable the OCR overlay in the panorama viewer to prevent malicious text rendering", "Monitor user activity for abnormal API key creation or data exfiltration patterns"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting that permits arbitrary JavaScript execution, enabling session hijacking, private photo exfiltration, and GPS and biometric data leaks"}, "threat_synthesis": {"affected_systems": "Any installation of immich that is running a version earlier than 2.7.0 is affected. The vulnerability is reported for the immich-app:immich product line and impacts all customers deploying those versions.", "description_and_impact": "immich, a self\u2011hosted photo and video management platform, suffered from a stored cross\u2011site scripting flaw in its 360\u00b0 panorama viewer. An authenticated user can upload an equirectangular image containing specially crafted text; the built\u2011in OCR engine extracts this text and the viewer renders it via innerHTML without sanitization. This allows the attacker to execute arbitrary JavaScript in the browser of any other user who opens the malicious panorama, potentially hijacking sessions through persistent API keys and exposing sensitive information such as private photos, GPS history, and face biometric data.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.3, indicating a high severity level. While an EPSS score is not publicly available and the flaw is not listed in the CISA KEV catalog, the attack requires an authenticated account to upload a malicious image and a second authenticated user to view it with OCR enabled. Consequently the exposed attack vector is an authenticated, yet internal, user flow that can be exploited to execute JavaScript and obtain further privileged data. Given the high CVSS score and the potential for extensive data loss and session compromise, the risk of exploitation is considered significant for affected deployments."}}}}, "created": "2026-04-09T08:18:23.027265+00:00", "updated": "2026-04-09T08:27:45.523420+00:00", "vendors": ["immich-app", "immich-app$PRODUCT$immich"]}