CVE-2026-35455
Published: 08 April 2026
Summary
CVE-2026-35455 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Futo Immich. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the stored XSS by requiring filtering of OCR-extracted text prior to rendering via innerHTML in the panorama viewer, preventing arbitrary JavaScript execution.
Validates information inputs from uploaded equirectangular images and OCR processing to reject or sanitize crafted malicious text payloads.
Ensures timely flaw remediation by applying patches such as Immich 2.7.0, which fixes the lack of sanitization in the vulnerable panorama viewer component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JavaScript execution in victim's browser, directly facilitating browser session hijacking (via API key) and exfiltration of photos/data over web services.
NVD Description
immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views…
more
the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.
Deeper analysisAI
CVE-2026-35455 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Immich, a high-performance self-hosted photo and video management solution. The issue exists in versions prior to 2.7.0 within the 360° panorama viewer component, where OCR-extracted text from images is rendered via innerHTML without proper sanitization.
Any authenticated user can exploit the vulnerability by uploading an equirectangular image containing crafted text. When another user views the malicious panorama with the OCR overlay enabled, the extracted text triggers arbitrary JavaScript execution in the victim's browser. This enables session hijacking via persistent API key creation, exfiltration of private photos, and access to GPS location history and face biometric data. The CVSS v3.1 base score is 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H).
The vulnerability is fixed in Immich version 2.7.0. Additional details on mitigation are available in the GitHub security advisory at https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66.
Details
- CWE(s)