Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Network-reachable login page (AV:N), no auth to send the link (PR:N), victim click required (UI:R), XSS in Immich origin escapes login-page scope (S:C) and API-key minting yields full C/I/A.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.
AnalysisAI
Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim must already be authenticated to a vulnerable Immich instance (commit range 4ffa26c9 to pre-4eb1003) and must click an attacker-supplied link pointing at /auth/login with a malicious continue query parameter (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All severity signals point in the same direction: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (9.6 Critical) reflects unauthenticated network-reachable exploitation requiring only that an already-authenticated victim click a link, with a scope change because the XSS executes in Immich's origin and yields full account control via API-key minting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a target Immich user a chat message or email containing a link such as https://immich.example.com/auth/login?continue=javascript:fetch('/api/api-keys',{method:'POST',...}); the victim, already logged in, clicks the link, the login page hands the continue value to SvelteKit's redirect(), and the javascript: URL executes in Immich's origin. The payload calls the API-key endpoint with the victim's session cookie to create an all-permission key, exfiltrates it to the attacker, and the attacker now has persistent backend access independent of the victim's session. |
| Remediation | Upstream fix available (commit 4eb100327ea5da2e90381b96809f1f1cc51cc7e3); update Immich to any build that includes this commit per the vendor advisory at https://github.com/immich-app/immich/security/advisories/GHSA-8244-8vpr-vp9c. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify your Immich version; if between commits 4ffa26c9 and pre-4eb1003, immediately implement compensating controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Immich versions prior to 2.5.0 contain an improper access control flaw that allows any authenticated API key to escalate
Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentic
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38551