Description
Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace the contents of the page with arbitrary content and make it appear to be hosted by the website hosting the standalone viewer HTML file. This issue has been fixed in version 2.5.7. To workaround, setting the Content-Security-Policy header to script-src-attr 'none' will block execution of inline event handlers, mitigating this vulnerability. Don't host pannellum.htm on a domain that shares cookies with user authentication to mitigate XSS risk.
Published: 2026-02-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via hotspot event attributes
Action: Patch
AI Analysis

Impact

Hotspot configuration in Pannellum allows any attribute to be set, including HTML event handler attributes that execute JavaScript without user interaction. This flaw enables a cross‑site scripting attack where visiting a malicious viewer URL or loading a JSON configuration file can run arbitrary code, modify page content, and impersonate the hosting site. The vulnerability is identified as CWE‑79.

Affected Systems

The issue exists in Pannellum versions 2.5.6 through 3.5.0 inclusive, distributed by mpetroff. Any deployment using the standalone viewer HTML file or untrusted JSON configuration falls within the affected range.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attacks can be launched simply by delivering a malicious hotspot configuration to visitors; no authentication or privileged access is required. The exploit path is straightforward: host the viewer, point it to a crafted configuration file, and observe the automatic execution of embedded JavaScript.

Generated by OpenCVE AI on April 17, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pannellum to version 2.5.7 or later, which removes the ability to set arbitrary hotspot attributes.
  • If an immediate upgrade is not feasible, configure the web server to send a Content‑Security‑Policy header that includes ‘script‑src‑attr 'none'' to block inline event handlers from executing.
  • Avoid serving the pannellum.htm file from any domain that shares authentication cookies; use a dedicated domain or subdomain to isolate the viewer from application session data.

Generated by OpenCVE AI on April 17, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8423-w5wx-h2r6 Pannellum has a XSS vulnerability in hot spot attributes
History

Mon, 02 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Pannellum
Pannellum pannellum
CPEs cpe:2.3:a:pannellum:pannellum:*:*:*:*:*:*:*:*
Vendors & Products Pannellum
Pannellum pannellum
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mpetroff
Mpetroff pannellum
Vendors & Products Mpetroff
Mpetroff pannellum

Sat, 21 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace the contents of the page with arbitrary content and make it appear to be hosted by the website hosting the standalone viewer HTML file. This issue has been fixed in version 2.5.7. To workaround, setting the Content-Security-Policy header to script-src-attr 'none' will block execution of inline event handlers, mitigating this vulnerability. Don't host pannellum.htm on a domain that shares cookies with user authentication to mitigate XSS risk.
Title Pannellum has a XSS vulnerability in hot spot attributes
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mpetroff Pannellum
Pannellum Pannellum
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:16:34.830Z

Reserved: 2026-02-18T19:47:02.156Z

Link: CVE-2026-27210

cve-icon Vulnrichment

Updated: 2026-02-25T21:16:30.663Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T06:17:01.083

Modified: 2026-03-02T15:21:06.073

Link: CVE-2026-27210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses