EUVD-2026-20583
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.
Analysis
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers to execute arbitrary JavaScript when victims view malicious 360° panorama images with OCR overlay enabled. Attackers upload specially crafted equirectangular images containing malicious text that OCR extracts and the panorama viewer renders unsanitized via innerHTML. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable OCR overlay processing for 360° panorama images in Immich settings or restrict panorama upload permissions to administrators only. Within 7 days: Audit Immich instance logs for suspicious panorama image uploads (check for equirectangular format images with OCR extraction timestamps) and review session logs for unauthorized API key creation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today