CVE-2026-53662

Source
https://cve.org/CVERecord?id=CVE-2026-53662
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53662.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53662
Aliases
  • GHSA-8244-8vpr-vp9c
Published
2026-06-23T17:36:30.727Z
Modified
2026-07-08T08:12:47.012304Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
immich: One-click account takeover via XSS in login page continue redirect
Details

immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": ">= main@4ffa26c9, < main@4eb1003"
                },
                {
                    "last_affected": ">= main@4ffa26c9, < main@4eb1003"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53662.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601",
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/immich-app/immich

Affected ranges

Type
GIT
Repo
https://github.com/immich-app/immich
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

Other
first-android-release
v0.*
v0.2-dev
v0.3-dev
v0.4-dev
v0.5-dev
v0.6-dev
v1.*
v1.10.0_15-dev
v1.100.0
v1.101.0
v1.102.0
v1.102.1
v1.102.2
v1.102.3
v1.103.0
v1.103.1
v1.104.0
v1.105.0
v1.105.1
v1.106.0
v1.106.1
v1.106.2
v1.106.3
v1.106.4
v1.107.0
v1.107.1
v1.107.2
v1.108.0
v1.109.0
v1.109.1
v1.109.2
v1.11.0_17-dev
v1.110.0
v1.111.0
v1.112.0
v1.112.1
v1.113.0
v1.113.1
v1.114.0
v1.115.0
v1.116.0
v1.116.1
v1.116.2
v1.117.0
v1.118.0
v1.118.1
v1.118.2
v1.119.0
v1.119.1
v1.12.0_18-dev
v1.120.0
v1.120.1
v1.120.2
v1.121.0
v1.122.0
v1.122.1
v1.122.2
v1.122.3
v1.123.0
v1.124.0
v1.124.1
v1.124.2
v1.125.0
v1.125.1
v1.125.2
v1.125.3
v1.125.4
v1.125.5
v1.125.6
v1.125.7
v1.126.0
v1.126.1
v1.127.0
v1.128.0
v1.129.0
v1.13.0_20-dev
v1.130.0
v1.130.1
v1.130.2
v1.130.3
v1.131.0
v1.131.1
v1.131.2
v1.131.3
v1.132.0
v1.132.1
v1.132.2
v1.132.3
v1.133.0
v1.133.1
v1.134.0
v1.135.0
v1.135.1
v1.135.2
v1.135.3
v1.136.0
v1.137.0
v1.137.1
v1.137.2
v1.137.3
v1.138.0
v1.138.1
v1.139.0
v1.139.1
v1.139.2
v1.139.3
v1.139.4
v1.14.0_21-dev
v1.140.0
v1.140.1
v1.141.0
v1.141.1
v1.142.0
v1.142.1
v1.143.0
v1.143.1
v1.144.0
v1.144.1
v1.15.0_21-dev
v1.15.1_21-dev
v1.16.0_23-dev
v1.17.0_25-dev
v1.18.0_27-dev
v1.19.0_29-dev
v1.19.1_29-dev
v1.20.0_30-dev
v1.20.1_30-dev
v1.20.2_30-dev
v1.20.3_30-dev
v1.21.0_31-dev
v1.21.1_31-dev
v1.22.0_32-dev
v1.23.0_33-dev
v1.24.0_34-dev
v1.25.0_35-dev
v1.26.0_36-dev
v1.27.0_37-dev
v1.28.0_38-dev
v1.28.1_39-dev
v1.28.2_40-dev
v1.28.3_41-dev
v1.28.4_41-dev
v1.28.4_42-dev
v1.29.0_42-dev
v1.29.1_43-dev
v1.29.2_43-dev
v1.29.3_43-dev
v1.29.4_44-dev
v1.29.5_44-dev
v1.29.6_44-dev
v1.29.6_45-dev
v1.3.0-dev
v1.3.1-dev
v1.30.0_46-dev
v1.30.2_48-dev
v1.31.0_49-dev
v1.31.1_49-dev
v1.32.0_50-dev
v1.32.1_51-dev
v1.33.0_52-dev
v1.33.1_52-dev
v1.34.0_53-dev
v1.35.0_54-dev
v1.36.0_55-dev
v1.36.1_55-dev
v1.36.2_56-dev
v1.37.0_58-dev
v1.38.0_60-dev
v1.38.1_60-dev
v1.38.2_60-dev
v1.39.0_61-dev
v1.4.0+6-dev
v1.4.0+7-dev
v1.4.0-dev
v1.40.0_63-dev
v1.40.1_63-dev
v1.41.0_64-dev
v1.41.1_64-dev
v1.42.0_65-dev
v1.43.0
v1.43.1
v1.44.0
v1.45.0
v1.46.0
v1.46.1
v1.47.0
v1.47.1
v1.47.2
v1.47.3
v1.48.0
v1.48.1
v1.49.0
v1.5.0+8-dev
v1.5.1+9-dev
v1.50.0
v1.50.1
v1.51.0
v1.51.1
v1.51.2
v1.52.1
v1.53.0
v1.54.0
v1.54.1
v1.55.0
v1.55.1
v1.56.0
v1.56.1
v1.56.2
v1.57.0
v1.57.1
v1.58.0
v1.59.0
v1.59.1
v1.6.0_10-dev
v1.60.0
v1.61.0
v1.62.0
v1.62.1
v1.63.0
v1.63.1
v1.63.2
v1.64.0
v1.65.0
v1.66.0
v1.66.1
v1.67.0
v1.67.1
v1.67.2
v1.68.0
v1.69.0
v1.7.0_11-dev
v1.70.0
v1.71.0
v1.72.0
v1.72.1
v1.72.2
v1.73.0
v1.74.0
v1.75.0
v1.75.1
v1.75.2
v1.76.0
v1.76.1
v1.77.0
v1.78.0
v1.78.1
v1.79.0
v1.79.1
v1.8.0_12-dev
v1.80.0
v1.81.0
v1.81.1
v1.82.0
v1.82.1
v1.83.0
v1.84.0
v1.85.0
v1.86.0
v1.87.0
v1.88.0
v1.88.2
v1.89.0
v1.9.0_13-dev
v1.9.1_14-dev
v1.90.0
v1.90.1
v1.90.2
v1.91.0
v1.91.1
v1.91.2
v1.91.3
v1.91.4
v1.92.0
v1.92.1
v1.93.0
v1.93.1
v1.93.2
v1.93.3
v1.94.1
v1.95.0
v1.95.1
v1.96.0
v1.97.0
v1.98.0
v1.98.1
v1.98.2
v1.99.0
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53662.json"