{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40096", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-14T23:54:17.662Z", "dateUpdated": "2026-04-15T16:19:07.744Z"}, "containers": {"cna": {"title": "immich: Open Redirect via Shared Album name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm"}, {"name": "https://github.com/immich-app/immich/releases/tag/v2.7.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/immich-app/immich/releases/tag/v2.7.3"}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"version": "< 2.7.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:54:17.662Z"}, "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a shared album with a crafted name containing 0;url=https://attackersite.com\" http-equiv=\"refresh, which when rendered in the <meta property=\"og:title\"> tag causes the victim's browser to redirect to an attacker-controlled site upon opening the share link. This facilitates phishing attacks, as the attacker could host a modified version of immich that collects login credentials from victims who believe they need to authenticate to view the shared album. This issue has been fixed in version 2.7.3."}], "source": {"advisory": "GHSA-24fq-72x8-v7hm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T16:18:25.907356Z", "id": "CVE-2026-40096", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:19:07.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40096", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T16:18:25.907356Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:19:03.271Z"}}], "cna": {"title": "immich: Open Redirect via Shared Album name", "source": {"advisory": "GHSA-24fq-72x8-v7hm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"status": "affected", "version": "< 2.7.3"}]}], "references": [{"url": "https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm", "name": "https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/immich-app/immich/releases/tag/v2.7.3", "name": "https://github.com/immich-app/immich/releases/tag/v2.7.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a shared album with a crafted name containing 0;url=https://attackersite.com\" http-equiv=\"refresh, which when rendered in the <meta property=\"og:title\"> tag causes the victim's browser to redirect to an attacker-controlled site upon opening the share link. This facilitates phishing attacks, as the attacker could host a modified version of immich that collects login credentials from victims who believe they need to authenticate to view the shared album. This issue has been fixed in version 2.7.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:54:17.662Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40096", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:19:07.744Z", "dateReserved": "2026-04-09T01:41:38.536Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T23:54:17.662Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a shared album with a crafted name containing 0;url=https://attackersite.com\" http-equiv=\"refresh, which when rendered in the <meta property=\"og:title\"> tag causes the victim's browser to redirect to an attacker-controlled site upon opening the share link. This facilitates phishing attacks, as the attacker could host a modified version of immich that collects login credentials from victims who believe they need to authenticate to view the shared album. This issue has been fixed in version 2.7.3."}], "id": "CVE-2026-40096", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T04:17:47.680", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/immich-app/immich/releases/tag/v2.7.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "immich", "source": "cna", "vendor": "immich-app"}, "product": "immich", "vendor": "immich-app"}], "analysis": {"en": {"generated_at": "2026-04-15T01:20:52.724983+00:00", "value": {"mitigation_remediation": ["Apply the latest immich update (v2.7.3 or later) to eliminate the open redirect flaw.", "Avoid clicking on shared album links from unknown or untrusted senders until the vulnerability is patched.", "Implement input validation or sanitization for album names to neutralize meta tag injection if patching is delayed."], "summary": {"action": "Update", "impact": "Phishing via Open Redirect"}, "threat_synthesis": {"affected_systems": "This flaw exists in the immich self\u2011hosted photo and video management solution, specifically in all versions before 2.7.3 of immich-app:immich. No post\u20112.7.3 releases are affected.", "description_and_impact": "The vulnerability allows a registered attacker to create a shared album whose name contains a crafted meta tag that triggers a browser redirect to an arbitrary URL. When a victim opens the share link, the unsanitized album name is inserted into an og:title meta tag, causing the victim\u2019s browser to navigate to the attacker\u2011controlled site. The attacker can then present a counterfeit version of immich to harvest credentials, enabling phishing attacks.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires the victim to open a crafted shared album link, an action that can be achieved via email or messaging. The attacker\u2019s ability to create such a link is limited to registered users, but once the link is exposed, victims can be redirected without authentication prompts, facilitating phishing and credential theft."}}}}, "created": "2026-04-15T13:48:23.609708+00:00", "updated": "2026-04-15T13:49:14.874259+00:00", "vendors": ["immich-app", "immich-app$PRODUCT$immich"]}