Stored XSS Vulnerability in Immich Photo Management Solution by Immi
CVE-2026-35455

7.3HIGH

Key Information:

Vendor: Immich-app
Status: Immich
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-35455?

Immich, a self-hosted photo and video management solution, has a vulnerability that allows authenticated users to perform stored Cross-Site Scripting (XSS) through the 360° panorama viewer. Users can upload manipulated equirectangular images containing forged text, which are then processed by OCR and rendered in the panorama viewer without adequate sanitization. This flaw may lead to execution of arbitrary JavaScript in the browsers of users who view the compromised panoramas, potentially resulting in unauthorized access to sensitive information such as session tokens, private photos, GPS location data, and face biometric information. The issue has been addressed in version 2.7.0.

Affected Version(s)

immich < 2.7.0

References

https://github.com/immich-app/immich/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35455 Data

JSON

Immich-app

What is CVE-2026-35455?

Affected Version(s)

References

CVSS V3.1

Timeline