Back to overview

CVE-2026-53662

CRITICAL Exploitation: PoC
9.6
CVSS 3.1
Description
immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.

Metadata

CVE ID
CVE-2026-53662
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 20:50 UTC
Published
2026-06-23 17:36 UTC
Last updated
2026-06-23 18:32 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
immich-app / immich
Sources
cve.org  ·  NVD

Severity & Metrics

9.6 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
immich-app immich >= main@4ffa26c9, < main@4eb1003
Weakness (CWE)
CWESourceDescription
CWE-601 cna CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.6 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References (2)
Back to overview