What is the CVSS score of CVE-2026-35455?

CVE-2026-35455 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Immich are affected by CVE-2026-35455?

Immich photo management platform versions before 2.7.0 contain a stored cross-site scripting vulnerability that allows authenticated users to inject malicious code through 360° panorama images with…. A patch is available.

How to fix or mitigate CVE-2026-35455?

Within 24 hours: inventory all Immich deployments and document current versions; confirm OCR + panorama viewer features are in use. Within 7 days: upgrade all instances to Immich 2.7.0 or later per vendor advisory; test core functionality post-upgrade. Within 30 days: audit Immich access logs for suspicious 360° image uploads or OCR activity during vulnerability window; review shared galleries for unusual content; reset API keys for users with access to sensitive photo collections.

Immich CVE-2026-35455

EUVD-2026-20583 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-04-08 GitHub_M

XSS Immich

7.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:01 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.7.0

EUVD ID Assigned

Apr 08, 2026 - 19:31 euvd

EUVD-2026-20583

Analysis Generated

Apr 08, 2026 - 19:31 vuln.today

CVE Published

Apr 08, 2026 - 18:31 nvd

HIGH 7.3

DescriptionGitHub Advisory

immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.

AnalysisAI

Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers to execute arbitrary JavaScript when victims view malicious 360° panorama images with OCR overlay enabled. Attackers upload specially crafted equirectangular images containing malicious text that OCR extracts and the panorama viewer renders unsanitized via innerHTML. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticated attacker uploads crafted equirectangular image

Exploit

OCR extracts malicious text from image

Execution

Panorama viewer renders text via unsanitized innerHTML

Impact

Arbitrary JavaScript executes in victim's browser

Access

Authenticated attacker uploads crafted equirectangular image

Exploit

OCR extracts malicious text from image

Execution

Panorama viewer renders text via unsanitized innerHTML

Impact

Arbitrary JavaScript executes in victim's browser

Vulnerability AssessmentAI

Exploitation	Requires authenticated user access to Immich versions prior to 2.7.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Authenticated stored XSS in panorama OCR overlay enables session hijacking, private photo/GPS exfiltration, and biometric data access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker uploads equirectangular image with OCR-extractable malicious text; victim views panorama with OCR overlay enabled, triggering unsanitized innerHTML rendering. JavaScript executes in victim's session, creating persistent API key for account takeover and data exfiltration.
Remediation	Vendor-released patch: Immich 2.7.0 resolves this vulnerability through input sanitization in the panorama viewer OCR rendering pathway. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Immich deployments and document current versions; confirm OCR + panorama viewer features are in use. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35455 vulnerability details – vuln.today

Back

Immich CVE-2026-35455

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code