Immich
Immich
Self-hosted photo and video management platform.
Current version
2.7.5
- Release date
- April 13, 2026
- Security status
- 3 high-severity CVEs tracked in the last 90 days. Current version impact is unclear.
Source
GitHub API
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 2.7.5 | 2026-04-13 | Release Notes |
| 2.7.4 | 2026-04-10 | Release Notes |
| 2.7.3 | 2026-04-09 | Release Notes |
| 2.7.2 | 2026-04-07 | Release Notes |
| 2.6.3 | 2026-03-26 | Release Notes |
| 2.6.2 | 2026-03-24 | Release Notes |
| 2.6.1 | 2026-03-19 | Release Notes |
| v2.5.6 | 2026-02-10 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-40185 | HIGH (7.1) | 2026-04-10 | Current versionunclear | TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2. |
| CVE-2026-35455 | HIGH (7.3) | 2026-04-08 | Current versionunclear | immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR overlay enabled. The attacker uploads an equirectangular image containing crafted text; OCR extracts it, and the panorama viewer renders it via innerHTML without sanitization. This enables session hijacking (via persistent API key creation), private photo exfiltration, and access to GPS location history and face biometric data. This vulnerability is fixed in 2.7.0. |
| CVE-2026-25118 | HIGH (7.5) | 2026-04-03 | Current versionunclear | immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0. |