CVE-2026-40096

Name of the Vulnerable Software and Affected Versions immich versions prior to 2.7.3

Description An open redirect exists in the shared album functionality. A registered attacker can create a shared album with a crafted name containing a malicious payload. This payload is inserted unsanitized into a tag within 'api.service.ts'. When a victim opens the share link, the browser renders the payload in the tag, causing a redirect to an attacker-controlled site. This can be used to facilitate phishing attacks by directing users to a fake authentication page to collect login credentials.

Recommendations Update to version 2.7.3.