Suggestions search

Untriaged

Filter by:

With package: immich-public-proxy

Found 3 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-35455

7.3 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 days, 3 hours ago

immich has Stored XSS via OCR Text in 360° Panorama Viewer

immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0.

References

https://github.com/immich-app/immich/security/advisories/GHSA-9qx4-67jm-cc66 x_refsource_CONFIRM

Affected products

immich

==< 2.7.0

Matching in nixpkgs

pkgs.immich

Self-hosted photo and video backup solution

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.immich-go

Immich client tool for bulk-uploads

nixos-unstable 0.31.0
- nixpkgs-unstable 0.31.0
- nixos-unstable-small 0.31.0
nixos-25.11 0.30.0
- nixos-25.11-small 0.30.0
- nixpkgs-25.11-darwin 0.30.0

pkgs.immich-cli

Self-hosted photo and video backup solution (command line interface)

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.immichframe

Display your photos from Immich as a digital photo frame

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

pkgs.immich-kiosk

Lightweight slideshow for running on kiosk devices and browsers that uses Immich as a data source

nixos-unstable 0.31.0
- nixpkgs-unstable 0.31.0
- nixos-unstable-small 0.31.0
nixos-25.11 0.26.1
- nixos-25.11-small 0.26.1
- nixpkgs-25.11-darwin 0.26.1

pkgs.immich-public-proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public

nixos-unstable 1.15.5
- nixpkgs-unstable 1.15.5
- nixos-unstable-small 1.15.5
nixos-25.11 1.15.1
- nixos-25.11-small 1.15.1
- nixpkgs-25.11-darwin 1.15.1

pkgs.immich-machine-learning

Self-hosted photo and video backup solution (machine learning component)

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.python312Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-25.11 0.11.1
- nixos-25.11-small 0.11.1
- nixpkgs-25.11-darwin 0.11.1

pkgs.python313Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-unstable 0.13.0
- nixpkgs-unstable 0.13.0
- nixos-unstable-small 0.13.0
nixos-25.11 0.11.1
- nixos-25.11-small 0.11.1
- nixpkgs-25.11-darwin 0.11.1

pkgs.python314Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-unstable 0.13.0
- nixpkgs-unstable 0.13.0
- nixos-unstable-small 0.13.0

pkgs.gnomeExtensions.immich-wallpaper

Sets desktop wallpaper from Immich server photos

nixos-unstable 9
- nixpkgs-unstable 9
- nixos-unstable-small 9
nixos-25.11 4
- nixos-25.11-small 4
- nixpkgs-25.11-darwin 4

pkgs.pkgsRocm.immich-machine-learning

Self-hosted photo and video backup solution (machine learning component)

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.home-assistant-component-tests.immich

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.immich

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.1
- nixpkgs-unstable 2026.4.1
- nixos-unstable-small 2026.4.1

Package maintainers

@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@titaniumtown Simon Gardling <titaniumtown@proton.me>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
@kai-tub Kai Norman Clasen
@Jaculabilis Tim Van Baak <tim.vanbaak@gmail.com>
@honnip Jung seungwoo <me@honnip.page>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@tlvince Tom Vincent <nixos@tlvince.com>
@jfly Jeremy Fleischman <jeremyfleischman@gmail.com>

Permalink CVE-2026-25118

created 1 week, 4 days ago

immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

References

https://github.com/immich-app/immich/security/advisories/GHSA-78x4-6x83-jx75 x_refsource_CONFIRM
https://github.com/immich-app/immich/pull/26868 x_refsource_MISC
https://github.com/immich-app/immich/pull/26886 x_refsource_MISC
https://github.com/immich-app/immich/releases/tag/v2.6.0 x_refsource_MISC

Affected products

immich

==< 2.6.0

Matching in nixpkgs

pkgs.immich

Self-hosted photo and video backup solution

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.immich-go

Immich client tool for bulk-uploads

nixos-unstable 0.31.0
- nixpkgs-unstable 0.31.0
- nixos-unstable-small 0.31.0
nixos-25.11 0.30.0
- nixos-25.11-small 0.30.0
- nixpkgs-25.11-darwin 0.30.0

pkgs.immich-cli

Self-hosted photo and video backup solution (command line interface)

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.immichframe

Display your photos from Immich as a digital photo frame

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

pkgs.immich-kiosk

Lightweight slideshow for running on kiosk devices and browsers that uses Immich as a data source

nixos-unstable 0.31.0
- nixpkgs-unstable 0.31.0
- nixos-unstable-small 0.31.0
nixos-25.11 0.26.1
- nixos-25.11-small 0.26.1
- nixpkgs-25.11-darwin 0.26.1

pkgs.immich-public-proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public

nixos-unstable 1.15.5
- nixpkgs-unstable 1.15.5
- nixos-unstable-small 1.15.5
nixos-25.11 1.15.1
- nixos-25.11-small 1.15.1
- nixpkgs-25.11-darwin 1.15.1

pkgs.immich-machine-learning

Self-hosted photo and video backup solution (machine learning component)

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.python312Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-25.11 0.11.1
- nixos-25.11-small 0.11.1
- nixpkgs-25.11-darwin 0.11.1

pkgs.python313Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-unstable 0.12.1
- nixpkgs-unstable 0.12.1
- nixos-unstable-small 0.12.1
nixos-25.11 0.11.1
- nixos-25.11-small 0.11.1
- nixpkgs-25.11-darwin 0.11.1

pkgs.python314Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-unstable 0.12.1
- nixpkgs-unstable 0.12.1
- nixos-unstable-small 0.12.1

pkgs.gnomeExtensions.immich-wallpaper

Sets desktop wallpaper from Immich server photos

nixos-unstable 9
- nixpkgs-unstable 9
- nixos-unstable-small 9
nixos-25.11 4
- nixos-25.11-small 4
- nixpkgs-25.11-darwin 4

pkgs.pkgsRocm.immich-machine-learning

Self-hosted photo and video backup solution (machine learning component)

nixos-unstable 2.6.3
- nixpkgs-unstable 2.6.3
- nixos-unstable-small 2.6.3
nixos-25.11 2.6.3
- nixos-25.11-small 2.6.3
- nixpkgs-25.11-darwin 2.6.3

pkgs.home-assistant-component-tests.immich

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.immich

Open source home automation that puts local control and privacy first

nixos-unstable 2026.3.4
- nixpkgs-unstable 2026.3.4
- nixos-unstable-small 2026.3.4

Package maintainers

@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@titaniumtown Simon Gardling <titaniumtown@proton.me>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
@kai-tub Kai Norman Clasen
@Jaculabilis Tim Van Baak <tim.vanbaak@gmail.com>
@honnip Jung seungwoo <me@honnip.page>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@tlvince Tom Vincent <nixos@tlvince.com>
@jfly Jeremy Fleischman <jeremyfleischman@gmail.com>

Permalink CVE-2026-23896

7.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 months, 2 weeks ago

immich API Key Privilege Escalation vulnerability

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.