cvedb.io
CVE-2026-27210
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-02-21T06:17:01.083 · Last modified 2026-06-17T10:26:51.030

Summary

Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace the contents of the page with arbitrary content and make it appear to be

Affected products

pannellum — pannellum

Does this affect you?

Add your gear to cvedb and we'll alert you only when pannellum ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.