immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer all…

A stored cross-site scripting (XSS) vulnerability in immich photo management solution affects versions prior to 2.7.0. The vulnerability exists in the 360° panorama viewer where authenticated users can upload malicious equirectangular images containing crafted text. When OCR processes these images and the panorama viewer renders the extracted text via innerHTML without proper sanitization, it allows arbitrary JavaScript execution in other users' browsers. This can lead to session hijacking through persistent API key creation, private photo exfiltration, and unauthorized access to GPS location history and biometric face data. The vulnerability requires the OCR overlay to be enabled and affects any user viewing the malicious panorama.