CVE-2026-53662: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in immich-app immich
immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.
AI Analysis
Technical Summary
immich versions from commit 4ffa26c9 until 4eb1003 contain a reflected XSS vulnerability on the /auth/login page. The 'continue' query parameter is not properly neutralized and is passed directly to SvelteKit's redirect() without validation of scheme or origin. This flaw enables execution of attacker-supplied JavaScript within the application's origin, leveraging the victim's authenticated session to create an all-permission API key, resulting in persistent account compromise. The vulnerability is resolved in commit 4eb1003.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated user's session, leading to full account compromise by minting an all-permission API key. This results in persistent account takeover with high confidentiality, integrity, and availability impact.
Mitigation Recommendations
A fix is available and has been implemented in commit 4eb1003. Users should update immich to the version including this commit to remediate the vulnerability. Patch status is not explicitly confirmed beyond the commit reference; verify with the vendor or official repository for the exact fixed version and apply the update accordingly.
CVE-2026-53662: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in immich-app immich
Description
immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.
CVSS v3.1
Score 9.6critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
immich versions from commit 4ffa26c9 until 4eb1003 contain a reflected XSS vulnerability on the /auth/login page. The 'continue' query parameter is not properly neutralized and is passed directly to SvelteKit's redirect() without validation of scheme or origin. This flaw enables execution of attacker-supplied JavaScript within the application's origin, leveraging the victim's authenticated session to create an all-permission API key, resulting in persistent account compromise. The vulnerability is resolved in commit 4eb1003.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated user's session, leading to full account compromise by minting an all-permission API key. This results in persistent account takeover with high confidentiality, integrity, and availability impact.
Mitigation Recommendations
A fix is available and has been implemented in commit 4eb1003. Users should update immich to the version including this commit to remediate the vulnerability. Patch status is not explicitly confirmed beyond the commit reference; verify with the vendor or official repository for the exact fixed version and apply the update accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-09T20:50:36.877Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3acbe4eed863c81e6c9a5a
Added to database: 06/23/2026, 18:09:40 UTC
Last enriched: 06/23/2026, 18:24:15 UTC
Last updated: 06/23/2026, 18:54:13 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.