Browse all 5 CVE security advisories affecting immich-app. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Immich-app is an open-source self-hosted photo and video backup solution designed for personal media management. Historically, it has been affected by multiple critical vulnerabilities including remote code execution, cross-site scripting, and privilege escalation flaws, with five CVEs currently documented. The application's security posture has been challenged by improper access controls and input validation weaknesses in its API endpoints. While no major public security incidents have been widely reported, the consistent discovery of vulnerabilities underscores the importance of regular updates and hardening for deployments handling sensitive personal data.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40096 | immich: Open Redirect via Shared Album name — immichCWE-79 | 5.4 | - | 2026-04-14 |
| CVE-2026-35455 | immich has Stored XSS via OCR Text in 360° Panorama Viewer — immichCWE-79 | 7.3 | High | 2026-04-08 |
| CVE-2026-25118 | immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums — immichCWE-598 | 8.1AI | HighAI | 2026-04-03 |
| CVE-2026-23896 | immich API Key Privilege Escalation vulnerability — immichCWE-269 | 7.2 | High | 2026-01-29 |
| CVE-2025-43856 | immich allows account hijacking through oauth2 — immichCWE-303 | 8.8AI | HighAI | 2025-07-11 |
This page lists every published CVE security advisory associated with immich-app. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.