immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer all…

A stored cross-site scripting (XSS) vulnerability in immich photo management solution prior to version 2.7.0 affects the 360° panorama viewer. Authenticated users can upload malicious equirectangular images with crafted text that gets processed by OCR. The panorama viewer renders this text via innerHTML without sanitization, allowing arbitrary JavaScript execution. This enables session hijacking through persistent API key creation, private photo exfiltration, and access to GPS location history and face biometric data. The vulnerability requires the OCR overlay to be enabled and affects any user who views the malicious panorama.