Cyber Resilience

CVE-2026-35455

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35455 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Futo Immich. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35455 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Immich, a high-performance self-hosted photo and video management solution. The issue exists in versions prior to 2.7.0 within the 360° panorama viewer component, where OCR-extracted text from images is rendered via innerHTML without proper sanitization.

Any authenticated user can exploit the vulnerability by uploading an equirectangular image containing crafted text. When another user views the malicious panorama with the OCR overlay enabled, the extracted text triggers arbitrary JavaScript execution in the victim's browser. This enables session hijacking via persistent API key creation, exfiltration of private photos, and access to GPS location history and face biometric data. The CVSS v3.1 base score is 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H).

The vulnerability is fixed in Immich version 2.7.0. Additional details on mitigation are available in the GitHub security advisory at https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66.

EU & UK References

Vulnerability details

immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views…

more

the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1567 Exfiltration Over Web Service Exfiltration
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
Why these techniques?

Stored XSS enables arbitrary JavaScript execution in victim's browser, directly facilitating browser session hijacking (via API key) and exfiltration of photos/data over web services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23896Same product: Futo Immich
CVE-2026-25118Same product: Futo Immich
CVE-2025-0595Shared CWE-79
CVE-2025-25203Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2025-68835Shared CWE-79
CVE-2026-32118Shared CWE-79
CVE-2026-35569Shared CWE-79
CVE-2025-24617Shared CWE-79
CVE-2026-30934Shared CWE-79

Affected Assets

futo
immich
2.6.0 — 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the stored XSS by requiring filtering of OCR-extracted text prior to rendering via innerHTML in the panorama viewer, preventing arbitrary JavaScript execution.

prevent

Validates information inputs from uploaded equirectangular images and OCR processing to reject or sanitize crafted malicious text payloads.

prevent

Ensures timely flaw remediation by applying patches such as Immich 2.7.0, which fixes the lack of sanitization in the vulnerable panorama viewer component.

References