2 matches found
CVE-2026-53662
Immich (self-hosted photo/video management) has a reflected XSS in the /auth/login page observed between commits 4ffa26c9 and 4eb1003. The continue query parameter is read from the URL and passed to SvelteKit redirect() without URL scheme/origin validation, enabling attacker-controlled JavaScript...
PT-2026-51576
Name of the Vulnerable Software and Affected Versions immich versions 4ffa26c9 through 4eb1003 Description A reflected cross-site scripting XSS issue exists on the '/auth/login' page. The continue query parameter is processed by SvelteKit's redirect function without proper scheme or origin...