Vulnerability Report

CVE-2026-35455

Title: Stored Cross-Site Scripting (XSS) in Panorama Viewer

XSS

Proof Of Concept

PoC Available for CVE-2026-35455

CWE Category CWE-79

Published Date Apr 08, 2026

Modified Date Apr 15, 2026

Exploit Status Available

Score 7.3 CVSS v3.1

Exploit Probability (EPSS)

0.22%

Vulnerability Summary

CVE-2026-35455: immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.

Impacted Vendors

immich 1

futo 1

Reference Links

https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.3

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.4

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns