CVE-2026-27210 is a cross-site scripting vulnerability identified in the Pannellum open-source panorama viewer, specifically affecting versions from 2.5.0 up to but not including 2.5.7. The vulnerability stems from improper neutralization of input during web page generation (CWE-79). The core issue lies in the hot spot attributes configuration property, which permits setting any attribute, including HTML event handler attributes such as onclick or onmouseover. This allows an attacker to craft malicious JSON configuration files or URLs that inject arbitrary JavaScript code. Because certain event handlers fire automatically without user interaction, simply visiting a URL referencing a malicious config file can trigger script execution. This can lead to arbitrary code execution in the context of the vulnerable web page, enabling attackers to manipulate page content, perform phishing attacks by spoofing the hosting site, or steal sensitive information if cookies are accessible. The vulnerability bypasses protections provided by the escapeHTML parameter, making it more dangerous. The vulnerability is mitigated by updating to Pannellum version 2.5.7, which fixes the input validation flaw. As an interim workaround, setting a Content-Security-Policy header with 'script-src-attr 'none'' disables execution of inline event handlers, blocking the attack vector. Additionally, hosting the vulnerable pannellum.htm file on domains that do not share authentication cookies reduces the risk of session hijacking. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, no user interaction needed, and limited scope impact. No known exploits have been reported in the wild as of publication.

The impact of CVE-2026-27210 is primarily the execution of arbitrary JavaScript code in the context of the vulnerable web page. This can lead to several security consequences: unauthorized content manipulation, phishing attacks by spoofing legitimate site content, theft of sensitive data such as session cookies if the vulnerable viewer is hosted on a domain sharing authentication cookies, and potential further exploitation depending on the victim's browser environment. Organizations using Pannellum to display panoramas on public or internal websites risk exposing users to these attacks, especially if untrusted JSON configuration files are used or if URLs can be manipulated. The vulnerability does not require user interaction beyond visiting a malicious URL, increasing its risk. However, the scope is limited to the context of the Pannellum viewer page, and it does not directly affect backend systems or data integrity beyond the web page content. The lack of known exploits reduces immediate risk, but the ease of exploitation and potential for social engineering make it a concern for organizations relying on this software for web content delivery.

1. Upgrade Pannellum to version 2.5.7 or later immediately, as this version contains the official fix for the vulnerability. 2. If upgrading is not immediately possible, implement a strict Content-Security-Policy (CSP) header with 'script-src-attr 'none'' to block execution of inline event handlers, effectively mitigating the XSS attack vector. 3. Avoid hosting the pannellum.htm standalone viewer on domains that share cookies with user authentication systems to prevent session hijacking risks. 4. Validate and sanitize all JSON configuration files before use, especially if they originate from untrusted sources, to prevent injection of malicious attributes. 5. Restrict access to configuration files and URLs that load the viewer to trusted users or networks where feasible. 6. Monitor web server logs for unusual requests to the panorama viewer URLs that could indicate exploitation attempts. 7. Educate developers and administrators about the risks of allowing arbitrary HTML attributes in configuration properties and encourage secure coding practices for web content generation.