CVE-2026-27210 is a cross-site scripting vulnerability classified under CWE-79 affecting Pannellum, an open-source web panorama viewer. The flaw exists in versions 2.5.0 through 2.5.6, where the hot spot attributes configuration property allows any attribute to be set, including HTML event handler attributes such as onclick or onmouseover. This improper input neutralization enables an attacker to craft malicious JSON configuration files that embed executable JavaScript code. When a user accesses a standalone Pannellum viewer URL referencing such a malicious config file, the embedded scripts execute automatically without requiring further user interaction. This can result in arbitrary JavaScript execution within the context of the hosting website, enabling attackers to manipulate page content, perform phishing attacks by spoofing the site, or steal sensitive information like cookies or session tokens. The vulnerability bypasses the escapeHTML protections because it targets attribute injection rather than inner HTML content. The issue was resolved in version 2.5.7 by restricting attribute injection. As a workaround, setting a Content-Security-Policy header with script-src-attr 'none' can block inline event handlers, mitigating the risk. Additionally, it is recommended not to host pannellum.htm on domains that share cookies with user authentication to reduce the impact of potential XSS attacks. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network exploitability without privileges or user interaction, but with limited scope and impact. No known exploits have been reported in the wild as of the publication date.

The vulnerability allows remote attackers to execute arbitrary JavaScript code in the context of affected websites using vulnerable Pannellum versions. This can lead to significant security impacts including theft of sensitive user data such as cookies or session tokens, enabling account hijacking or unauthorized access. Attackers can also manipulate the displayed content to conduct phishing attacks or spread malware. Since the exploit requires only visiting a maliciously crafted URL, it can be triggered without user interaction, increasing the risk of widespread exploitation. Organizations hosting Pannellum standalone viewers or using untrusted JSON config files are at risk. If the vulnerable viewer is hosted on domains sharing authentication cookies, the impact escalates to potential full account compromise. However, the vulnerability does not affect the core application logic or server-side components, limiting the scope to client-side attacks. The absence of known exploits in the wild reduces immediate risk but does not preclude future attacks. Overall, the impact is medium but can be severe in environments with sensitive user sessions or inadequate content security policies.

To mitigate this vulnerability, organizations should upgrade Pannellum to version 2.5.7 or later, where the issue is fixed by restricting attribute injection. If immediate upgrade is not feasible, implement a strict Content-Security-Policy header with the directive script-src-attr 'none' to block execution of inline event handlers embedded via attributes. Avoid hosting pannellum.htm on domains that share cookies with user authentication to prevent session theft via XSS. Validate and sanitize all JSON configuration files from untrusted sources before use, ensuring they do not contain malicious attributes. Employ subresource integrity (SRI) and serve the viewer over HTTPS to prevent tampering. Monitor web server logs for suspicious requests referencing unusual JSON config files. Educate developers and administrators about the risks of attribute injection and the importance of CSP enforcement. Regularly audit web applications for similar XSS vectors in third-party components. These targeted steps go beyond generic advice by focusing on configuration, hosting practices, and CSP tuning specific to this vulnerability.