futo immich の CVE(4 件)

CVE 件数: 4 CPE versions: View versions table

概要

本ページは futo immich に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。

表示中 14 / 4 CVE 件数
«« 先頭 « 前へ 1 / 1 次へ »
CVE 概要 ソース CVSS 最大値 EPSS(%) 公開 更新
CVE-2026-40096 immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a shared album with a crafted name containing 0;url=https://attackersite.com" http-equiv="refresh, which when rendered in the <meta property="og:title"> tag causes the victim's browser to redirect to an attack [email protected] 5.1 0.21% 2026-04-15 2026-06-17
CVE-2026-35455 immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijac [email protected] 7.3 0.22% 2026-04-08 2026-06-17
CVE-2026-25118 immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authenticati [email protected] 6.3 0.45% 2026-04-03 2026-06-17
CVE-2026-23896 immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. [email protected] 7.2 0.30% 2026-01-29 2026-06-17
«« 先頭 « 前へ 1 / 1 次へ »
cvelogic Threat Intelligence