CVE-2026-40096: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in immich-app immich
immich versions prior to 2. 7. 3 contain a cross-site scripting (XSS) vulnerability due to improper sanitization of album names inserted into a meta tag. This flaw allows a registered attacker to craft a shared album name that triggers a browser redirect to an attacker-controlled site when the share link is opened. The vulnerability facilitates phishing attacks by potentially leading victims to fake login pages. The issue has been fixed in version 2. 7. 3.
AI Analysis
Technical Summary
The immich photo and video management application versions before 2.7.3 have an XSS vulnerability (CWE-79) caused by unsanitized input in the shared album name, which is inserted into a <meta property="og:title"> tag in api.service.ts. An attacker can exploit this by creating a shared album with a specially crafted name containing a meta refresh directive that causes the victim's browser to redirect to a malicious site. This vulnerability enables phishing attacks by redirecting users to attacker-controlled pages that may mimic immich login screens. The vulnerability is tracked as CVE-2026-40096 with a CVSS 4.0 base score of 5.1 (medium severity). The issue was resolved in immich version 2.7.3.
Potential Impact
Successful exploitation results in victim browsers being redirected to attacker-controlled websites when opening shared album links, facilitating phishing attacks. This can lead to credential theft if victims are tricked into entering login information on fake pages. The vulnerability requires a registered attacker to create a malicious shared album and user interaction to open the link. There is no indication of remote code execution or system compromise beyond phishing facilitation.
Mitigation Recommendations
Upgrade immich to version 2.7.3 or later, where this vulnerability has been fixed. Since this is a self-hosted application, administrators should apply the update promptly to prevent exploitation. No additional mitigations are specified or required once the update is applied.
CVE-2026-40096: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in immich-app immich
Description
immich versions prior to 2. 7. 3 contain a cross-site scripting (XSS) vulnerability due to improper sanitization of album names inserted into a meta tag. This flaw allows a registered attacker to craft a shared album name that triggers a browser redirect to an attacker-controlled site when the share link is opened. The vulnerability facilitates phishing attacks by potentially leading victims to fake login pages. The issue has been fixed in version 2. 7. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The immich photo and video management application versions before 2.7.3 have an XSS vulnerability (CWE-79) caused by unsanitized input in the shared album name, which is inserted into a <meta property="og:title"> tag in api.service.ts. An attacker can exploit this by creating a shared album with a specially crafted name containing a meta refresh directive that causes the victim's browser to redirect to a malicious site. This vulnerability enables phishing attacks by redirecting users to attacker-controlled pages that may mimic immich login screens. The vulnerability is tracked as CVE-2026-40096 with a CVSS 4.0 base score of 5.1 (medium severity). The issue was resolved in immich version 2.7.3.
Potential Impact
Successful exploitation results in victim browsers being redirected to attacker-controlled websites when opening shared album links, facilitating phishing attacks. This can lead to credential theft if victims are tricked into entering login information on fake pages. The vulnerability requires a registered attacker to create a malicious shared album and user interaction to open the link. There is no indication of remote code execution or system compromise beyond phishing facilitation.
Mitigation Recommendations
Upgrade immich to version 2.7.3 or later, where this vulnerability has been fixed. Since this is a self-hosted application, administrators should apply the update promptly to prevent exploitation. No additional mitigations are specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T01:41:38.536Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ded8f482d89c981f22edd7
Added to database: 4/15/2026, 12:16:52 AM
Last enriched: 4/15/2026, 12:31:53 AM
Last updated: 4/15/2026, 1:22:47 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.