3 matches found
CVE-2026-40096
Immich (self-hosted photo/video manager) contains an open redirect in rendering via the shared album name in API code (api.service.ts) affecting versions prior to 2.7.3. An attacker can craft a shared album name that injects a URL into a meta refresh, causing a victim opening the shared link to ...
CVE-2026-23896
CVE-2026-23896 impacts Immich self-hosted photo/video management. Prior to version 2.5.0, API keys could escalate permissions by abusing the update endpoint, enabling a low-privilege API key to grant itself full administrative access. Red Hat/NVD and other sources corroborate this description, wi...
CVE-2026-25118
CVE-2026-25118 affects Immich server prior to version 2.6.0, where the authentication process transmits the album password in the URL query string of a GET request to /api/shared-links/me. This causes credential disclosure through browser history, proxy/server logs, and referrer headers, potentia...