Description
immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.
Published: 2026-06-23
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting flaw existed on the /auth/login page of immich between commit 4ffa26c9 and commit 4eb1003. The continue query parameter is forwarded to SvelteKit’s redirect() without scheme or origin validation, execute within Immich’s origin. Because the user is already authenticated, the malicious script can generate a full‑permission API key in the victim’s account, allowing a persistent takeover of that account with a single link click. This flaw has been fixed in commit 4eb1003. The weakness is represented by CWE‑79 (XSS) and CWE‑601 (Open Redirect).

Affected Systems

The vulnerability affects the immich‑app:immich product. It was present between commit 4ffa26c9 and commit 4eb1003; updating to commit 4eb1003 or any later release removes the flaw. No specific versions are listed beyond this commit range.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical severity. Although the EPSS score is not available, the absence of a KEV listing does not reduce the risk to an authenticated user. The likely attack vector requires an attacker to craft a link with a malicious continue parameter and persuade a victim user to click it. When executed, the payload runs with the victim’s session, allowing the attacker to generate a full‑permission API key and persistently take over the account. This vulnerability is exploitable with a single click, and the high severity combined with ease of exploitation makes the threat significant.

Generated by OpenCVE AI on June 24, 2026 at 10:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade immich to commit 4eb1003 or the latest released version that contains the fix.
  • If possible, disable the use of the continue parameter for redirects or implement strict origin and scheme validation on all redirect URLs.
  • Apply input sanitization and output encoding to every user‑supplied URL, and consider enforcing a web application firewall rule that blocks suspicious redirects to mitigate reflected XSS attempts.

Generated by OpenCVE AI on June 24, 2026 at 10:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Immich-app
Immich-app immich
Vendors & Products Immich-app
Immich-app immich

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.
Title immich: One-click account takeover via XSS in login page continue redirect
Weaknesses CWE-601
CWE-79
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Immich-app Immich
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T18:32:43.755Z

Reserved: 2026-06-09T20:50:36.877Z

Link: CVE-2026-53662

cve-icon Vulnrichment

Updated: 2026-06-23T18:28:11.658Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')