CVE-2026-35455 HIGH

CVE-2026-35455: immich has Stored XSS via OCR Text in 360° Panorama Viewer

Vendor Immich-App

Product immich

Weakness CWE-79 · XSS

Published April 8, 2026

Last update April 13, 2026

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

April 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-35455

Related vulnerabilities

CVE-2026-35455: immich has Stored XSS via OCR Text in 360° Panorama Viewer

01Description

02Disclosure timeline

03References

04Related CVE