immich, a self‑hosted photo and video management platform, suffered from a stored cross‑site scripting flaw in its 360° panorama viewer. An authenticated user can upload an equirectangular image containing specially crafted text; the built‑in OCR engine extracts this text and the viewer renders it via innerHTML without sanitization. This allows the attacker to execute arbitrary JavaScript in the browser of any other user who opens the malicious panorama, potentially hijacking sessions through persistent API keys and exposing sensitive information such as private photos, GPS history, and face biometric data.

Any installation of immich that is running a version earlier than 2.7.0 is affected. The vulnerability is reported for the immich-app:immich product line and impacts all customers deploying those versions.

The vulnerability has a CVSS score of 7.3, indicating a high severity level. While an EPSS score is not publicly available and the flaw is not listed in the CISA KEV catalog, the attack requires an authenticated account to upload a malicious image and a second authenticated user to view it with OCR enabled. Consequently the exposed attack vector is an authenticated, yet internal, user flow that can be exploited to execute JavaScript and obtain further privileged data. Given the high CVSS score and the potential for extensive data loss and session compromise, the risk of exploitation is considered significant for affected deployments.