CVE-2026-27210

Name of the Vulnerable Software and Affected Versions Pannellum versions 2.5.6 through 3.5.0

Description Pannellum, a lightweight panorama viewer for the web, has an issue where the hot spot attributes configuration property allows setting any attribute, including HTML event handler attributes. This can lead to potential cross-site scripting (XSS) attacks. This impacts websites hosting the standalone viewer HTML file and any use of untrusted JSON config files, bypassing the escapeHTML parameter's protections. Certain events trigger without user interaction, meaning visiting a URL pointing to a malicious config file can execute arbitrary JavaScript code, potentially replacing page content. Reports indicate this issue is actively exploited for cryptocurrency-related phishing attempts. The attributes property is the source of the issue.

Recommendations Pannellum versions 2.5.6 through 3.5.0 should be updated to version 2.5.7 or later. As a workaround, set the Content-Security-Policy header to script-src-attr 'none' to block execution of inline event handlers. Do not host pannellum.htm on a domain that shares cookies with user authentication to reduce the risk of XSS.