Skip to main content

Immich CVE-2026-53662

| EUVDEUVD-2026-38551 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-23 GitHub_M
9.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Network-reachable login page (AV:N), no auth to send the link (PR:N), victim click required (UI:R), XSS in Immich origin escapes login-page scope (S:C) and API-key minting yields full C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 18:31 vuln.today
Analysis Generated
Jun 23, 2026 - 18:31 vuln.today

DescriptionCVE.org

immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.

AnalysisAI

Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target Immich user with active session
Delivery
Craft /auth/login URL with malicious continue payload
Exploit
Deliver link via phishing or chat
Install
Victim click triggers redirect() to attacker JS
C2
XSS executes in Immich origin
Execute
Payload mints all-permission API key
Impact
Persistent account takeover via stolen key

Vulnerability AssessmentAI

Exploitation Victim must already be authenticated to a vulnerable Immich instance (commit range 4ffa26c9 to pre-4eb1003) and must click an attacker-supplied link pointing at /auth/login with a malicious continue query parameter (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All severity signals point in the same direction: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (9.6 Critical) reflects unauthenticated network-reachable exploitation requiring only that an already-authenticated victim click a link, with a scope change because the XSS executes in Immich's origin and yields full account control via API-key minting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a target Immich user a chat message or email containing a link such as https://immich.example.com/auth/login?continue=javascript:fetch('/api/api-keys',{method:'POST',...}); the victim, already logged in, clicks the link, the login page hands the continue value to SvelteKit's redirect(), and the javascript: URL executes in Immich's origin. The payload calls the API-key endpoint with the victim's session cookie to create an all-permission key, exfiltrates it to the attacker, and the attacker now has persistent backend access independent of the victim's session.
Remediation Upstream fix available (commit 4eb100327ea5da2e90381b96809f1f1cc51cc7e3); update Immich to any build that includes this commit per the vendor advisory at https://github.com/immich-app/immich/security/advisories/GHSA-8244-8vpr-vp9c. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify your Immich version; if between commits 4ffa26c9 and pre-4eb1003, immediately implement compensating controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53662 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy