XSS in Immich-app Immich

CVE-2026-40096

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (9.8th percentile) — read the EPSS interpretation.

Affected products

Immich-app Immich — versions < 2.7.3

Weakness classification (CWE)

References

https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm (x_refsource_CONFIRM)
https://github.com/immich-app/immich/releases/tag/v2.7.3 (x_refsource_MISC)