{"id":"CVE-2026-53662","summary":"immich: One-click account takeover via XSS in login page continue redirect","details":"immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.","aliases":["GHSA-8244-8vpr-vp9c"],"modified":"2026-07-08T08:12:47.012304Z","published":"2026-06-23T17:36:30.727Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53662.json","cna_assigner":"GitHub_M","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"\u003e= main@4ffa26c9, \u003c main@4eb1003"},{"last_affected":"\u003e= main@4ffa26c9, \u003c main@4eb1003"}]}],"cwe_ids":["CWE-601","CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53662.json"},{"type":"ADVISORY","url":"https://github.com/immich-app/immich/security/advisories/GHSA-8244-8vpr-vp9c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53662"},{"type":"FIX","url":"https://github.com/immich-app/immich/commit/4eb100327ea5da2e90381b96809f1f1cc51cc7e3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/immich-app/immich","events":[{"introduced":"0"},{"fixed":"4eb100327ea5da2e90381b96809f1f1cc51cc7e3"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v2.7.5","v2.7.4","v2.7.3","v2.7.2","v2.7.1","v2.7.0","v2.6.3","v2.6.2","v2.6.1","v2.6.0","v2.5.6","v2.5.5","v2.5.4","v2.5.3","v2.5.2","v2.5.1","v2.5.0","v2.4.1","v2.4.0","v2.3.1","v2.3.0","v2.2.3","v2.2.2","v2.2.1","v2.0.1","v2.2.0","v2.1.0","v2.0.0","v1.144.1","v1.144.0","v1.143.1","v1.143.0","v1.142.1","v1.142.0","v1.141.1","v1.141.0","v1.140.1","v1.140.0","v1.139.4","v1.139.3","v1.139.2","v1.139.1","v1.139.0","v1.138.1","v1.138.0","v1.137.3","v1.137.2","v1.137.1","v1.137.0","v1.136.0","v1.135.3","v1.135.2","v1.135.1","v1.135.0","v1.134.0","v1.133.1","v1.133.0","v1.132.3","v1.132.2","v1.132.1","v1.132.0","v1.131.3","v1.131.2","v1.131.1","v1.131.0","v1.130.3","v1.130.2","v1.130.1","v1.130.0","v1.129.0","v1.128.0","v1.127.0","v1.126.1","v1.126.0","v1.125.7","v1.125.6","v1.125.5","v1.125.4","v1.125.3","v1.125.2","v1.125.1","v1.125.0","v1.124.2","v1.124.1","v1.124.0","v1.123.0","v1.122.3","v1.122.2","v1.122.1","v1.122.0","v1.121.0","v1.120.2","v1.120.1","v1.120.0","v1.119.1","v1.119.0","v1.118.2","v1.118.1","v1.118.0","v1.117.0","v1.116.2","v1.116.1","v1.116.0","v1.115.0","v1.114.0","v1.113.1","v1.113.0","v1.112.1","v1.112.0","v1.111.0","v1.110.0","v1.109.2","v1.109.1","v1.109.0","v1.108.0","v1.107.2","v1.107.1","v1.107.0","v1.106.4","v1.106.3","v1.106.2","v1.106.1","v1.106.0","v1.105.1","v1.105.0","v1.104.0","v1.103.1","v1.103.0","v1.102.3","v1.102.2","v1.102.1","v1.102.0","v1.101.0","v1.100.0","v1.99.0","v1.98.2","v1.98.1","v1.98.0","v1.97.0","v1.96.0","v1.95.1","v1.95.0","v1.94.1","v1.93.3","v1.93.2","v1.93.1","v1.93.0","v1.92.1","v1.92.0","v1.91.4","v1.91.3","v1.91.2","v1.91.1","v1.91.0","v1.90.2","v1.90.1","v1.90.0","v1.89.0","v1.88.2","v1.88.0","v1.87.0","v1.86.0","v1.85.0","v1.84.0","v1.83.0","v1.82.1","v1.82.0","v1.81.1","v1.81.0","v1.80.0","v1.79.1","v1.79.0","v1.78.1","v1.78.0","v1.77.0","v1.76.1","v1.76.0","v1.75.2","v1.75.1","v1.75.0","v1.74.0","v1.73.0","v1.72.2","v1.72.1","v1.72.0","v1.71.0","v1.70.0","v1.69.0","v1.68.0","v1.67.2","v1.67.1","v1.67.0","v1.66.1","v1.66.0","v1.65.0","v1.64.0","v1.63.2","v1.63.1","v1.63.0","v1.62.1","v1.62.0","v1.61.0","v1.60.0","v1.59.1","v1.59.0","v1.58.0","v1.57.1","v1.57.0","v1.56.2","v1.56.1","v1.56.0","v1.55.1","v1.55.0","v1.54.1","v1.54.0","v1.53.0","v1.52.1","v1.51.2","v1.51.1","v1.51.0","v1.50.1","v1.50.0","v1.49.0","v1.48.1","v1.48.0","v1.47.3","v1.47.2","v1.47.1","v1.47.0","v1.46.1","v1.46.0","v1.45.0","v1.44.0","v1.43.1","v1.43.0","v1.42.0_65-dev","v1.41.1_64-dev","v1.41.0_64-dev","v1.40.1_63-dev","v1.40.0_63-dev","v1.39.0_61-dev","v1.38.2_60-dev","v1.38.1_60-dev","v1.38.0_60-dev","v1.37.0_58-dev","v1.36.2_56-dev","v1.36.1_55-dev","v1.36.0_55-dev","v1.35.0_54-dev","v1.34.0_53-dev","v1.33.1_52-dev","v1.33.0_52-dev","v1.32.1_51-dev","v1.32.0_50-dev","v1.31.1_49-dev","v1.31.0_49-dev","v1.30.2_48-dev","v1.30.0_46-dev","v1.29.6_45-dev","v1.29.6_44-dev","v1.29.5_44-dev","v1.29.4_44-dev","v1.29.3_43-dev","v1.29.2_43-dev","v1.29.1_43-dev","v1.29.0_42-dev","v1.28.4_41-dev","v1.28.4_42-dev","v1.28.3_41-dev","v1.28.2_40-dev","v1.28.1_39-dev","v1.28.0_38-dev","v1.27.0_37-dev","v1.26.0_36-dev","v1.25.0_35-dev","v1.24.0_34-dev","v1.23.0_33-dev","v1.22.0_32-dev","v1.21.1_31-dev","v1.21.0_31-dev","v1.20.3_30-dev","v1.20.2_30-dev","v1.20.1_30-dev","v1.20.0_30-dev","v1.19.1_29-dev","v1.19.0_29-dev","v1.18.0_27-dev","v1.17.0_25-dev","v1.16.0_23-dev","v1.15.1_21-dev","v1.15.0_21-dev","v1.14.0_21-dev","v1.13.0_20-dev","v1.12.0_18-dev","v1.11.0_17-dev","v1.10.0_15-dev","v1.9.1_14-dev","v1.9.0_13-dev","v1.8.0_12-dev","v1.7.0_11-dev","v1.6.0_10-dev","v1.5.1+9-dev","v1.5.0+8-dev","v1.4.0+7-dev","v1.4.0+6-dev","v1.4.0-dev","v1.3.0-dev","v1.3.1-dev","v0.6-dev","v0.5-dev","v0.4-dev","v0.3-dev","v0.2-dev","first-android-release"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53662.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}