CVE-2026-35455

Name of the Vulnerable Software and Affected Versions imich versions prior to 2.7.0

Description A Stored Cross-Site Scripting (XSS) issue exists in the 360° panorama viewer. An authenticated user can execute arbitrary JavaScript in the browser of another user viewing a malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text. OCR extracts the text, and the panorama viewer renders it using innerHTML without sanitization. This could lead to session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data.

Recommendations Update to version 2.7.0 or later.