{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35455/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-35455"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["immich","xss","cve-2026-35455","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImmich, a self-hosted photo and video management solution, is vulnerable to a stored Cross-Site Scripting (XSS) attack.  Specifically, versions prior to 2.7.0 are susceptible. An authenticated attacker can exploit the 360° panorama viewer by uploading a specially crafted equirectangular image that contains malicious text. When another user views the panorama with the OCR overlay enabled, the injected text is extracted via OCR and rendered by the panorama viewer without sanitization. This leads to arbitrary JavaScript execution within the victim\u0026rsquo;s browser. The vulnerability, identified as CVE-2026-35455, poses a significant risk, potentially leading to session hijacking (via persistent API key creation), private photo exfiltration, and unauthorized access to sensitive data like GPS location history and face biometric data. Users are advised to upgrade to version 2.7.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an Immich instance with a valid user account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an equirectangular image containing malicious JavaScript code embedded within the text.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted image to the Immich server through the web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker shares or otherwise causes another user to view the uploaded panorama image.\u003c/li\u003e\n\u003cli\u003eThe victim views the panorama image with the OCR overlay feature enabled.\u003c/li\u003e\n\u003cli\u003eThe Immich server processes the image, and the OCR engine extracts the malicious JavaScript from the image.\u003c/li\u003e\n\u003cli\u003eThe panorama viewer renders the OCR output via \u003ccode\u003einnerHTML\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript executes within the victim\u0026rsquo;s browser session, allowing the attacker to perform actions such as session hijacking, data exfiltration, or unauthorized data access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-35455) in Immich can lead to severe consequences. An attacker can hijack user sessions by creating persistent API keys, allowing them to impersonate the victim. Furthermore, they can exfiltrate private photos and gain unauthorized access to sensitive information such as GPS location history and face biometric data stored within the Immich instance. The number of potential victims corresponds to the number of users on a vulnerable Immich instance. Given the self-hosted nature of Immich, the impact is largely dependent on the type and sensitivity of data stored within affected deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Immich to version 2.7.0 or later to patch the CVE-2026-35455 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for user-uploaded content, particularly images, to prevent XSS attacks. Focus on \u003ccode\u003ewebserver\u003c/code\u003e logs for unusual POST requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Immich Panorama Requests\u003c/code\u003e to identify potential exploitation attempts based on unusual URL parameters indicative of crafted panorama requests.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP requests containing suspicious JavaScript payloads within the URL, which may indicate XSS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:24Z","date_published":"2026-04-08T19:25:24Z","id":"/briefs/2024-01-immich-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in Immich versions before 2.7.0 allows authenticated users to inject arbitrary JavaScript via crafted equirectangular images, leading to session hijacking, data exfiltration, and unauthorized access.","title":"Immich Stored XSS Vulnerability in 360° Panorama Viewer (CVE-2026-35455)","url":"https://feed.craftedsignal.io/briefs/2024-01-immich-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35455","version":"https://jsonfeed.org/version/1.1"}