Suggestions search

All statuses

Filter by:

With package: immich-cli

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-40096

created 1 week, 6 days ago Activity log

Created suggestion 1 week, 6 days ago

immich: Open Redirect via Shared Album name

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a shared album with a crafted name containing 0;url=https://attackersite.com" http-equiv="refresh, which when rendered in the <meta property="og:title"> tag causes the victim's browser to redirect to an attacker-controlled site upon opening the share link. This facilitates phishing attacks, as the attacker could host a modified version of immich that collects login credentials from victims who believe they need to authenticate to view the shared album. This issue has been fixed in version 2.7.3.

References

https://github.com/immich-app/immich/security/advisories/GHSA-24fq-72x8-v7hm x_refsource_CONFIRM
https://github.com/immich-app/immich/releases/tag/v2.7.3 x_refsource_MISC

Affected products

immich

==< 2.7.3

Matching in nixpkgs

pkgs.immich

Self-hosted photo and video backup solution

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.4
- nixos-unstable-small 2.7.4
nixos-25.11 2.7.4
- nixos-25.11-small 2.7.4
- nixpkgs-25.11-darwin 2.7.4

pkgs.immich-go

Immich client tool for bulk-uploads

nixos-unstable 0.31.0
- nixpkgs-unstable 0.31.0
- nixos-unstable-small 0.31.0
nixos-25.11 0.30.0
- nixos-25.11-small 0.30.0
- nixpkgs-25.11-darwin 0.30.0

pkgs.immich-cli

Self-hosted photo and video backup solution (command line interface)

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.4
- nixos-unstable-small 2.7.4
nixos-25.11 2.7.4
- nixos-25.11-small 2.7.4
- nixpkgs-25.11-darwin 2.7.4

pkgs.immichframe

Display your photos from Immich as a digital photo frame

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

pkgs.immich-kiosk

Lightweight slideshow for running on kiosk devices and browsers that uses Immich as a data source

nixos-unstable 0.31.0
- nixpkgs-unstable 0.31.0
- nixos-unstable-small 0.31.0
nixos-25.11 0.26.1
- nixos-25.11-small 0.26.1
- nixpkgs-25.11-darwin 0.26.1

pkgs.immich-public-proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public

nixos-unstable 1.15.5
- nixpkgs-unstable 1.15.5
- nixos-unstable-small 1.15.5
nixos-25.11 1.15.1
- nixos-25.11-small 1.15.1
- nixpkgs-25.11-darwin 1.15.1

pkgs.immich-machine-learning

Self-hosted photo and video backup solution (machine learning component)

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.4
- nixos-unstable-small 2.7.4
nixos-25.11 2.7.4
- nixos-25.11-small 2.7.4
- nixpkgs-25.11-darwin 2.7.4

pkgs.python312Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-25.11 0.11.1
- nixos-25.11-small 0.11.1
- nixpkgs-25.11-darwin 0.11.1

pkgs.python313Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-unstable 0.13.0
- nixpkgs-unstable 0.13.0
- nixos-unstable-small 0.14.0
nixos-25.11 0.11.1
- nixos-25.11-small 0.11.1
- nixpkgs-25.11-darwin 0.11.1

pkgs.python314Packages.aioimmich

Asynchronous library to fetch albums and assests from immich

nixos-unstable 0.13.0
- nixpkgs-unstable 0.13.0
- nixos-unstable-small 0.14.0

pkgs.gnomeExtensions.immich-wallpaper

Sets desktop wallpaper from Immich server photos

nixos-unstable 9
- nixpkgs-unstable 9
- nixos-unstable-small 9
nixos-25.11 4
- nixos-25.11-small 4
- nixpkgs-25.11-darwin 4

pkgs.pkgsRocm.immich-machine-learning

Self-hosted photo and video backup solution (machine learning component)

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.4
- nixos-unstable-small 2.7.4
nixos-25.11 2.7.4
- nixos-25.11-small 2.7.4
- nixpkgs-25.11-darwin 2.7.4

pkgs.home-assistant-component-tests.immich

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.immich

Open source home automation that puts local control and privacy first

nixos-unstable -
- nixos-unstable-small 2026.4.2

pkgs.tests.home-assistant-component-tests.immich

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.1
- nixpkgs-unstable 2026.4.1

Package maintainers

@honnip Jung seungwoo <me@honnip.page>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@titaniumtown Simon Gardling <titaniumtown@proton.me>
@diogotcorreia Diogo Correia <me@diogotc.com>
@kai-tub Kai Norman Clasen
@tlvince Tom Vincent <nixos@tlvince.com>
@Jaculabilis Tim Van Baak <tim.vanbaak@gmail.com>
@jfly Jeremy Fleischman <jeremyfleischman@gmail.com>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Untriaged

Permalink CVE-2026-25118

created 3 weeks, 4 days ago Activity log

Created suggestion 3 weeks, 4 days ago

immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.