Pannellum has a XSS vulnerability in hot spot attributes
Description
Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace the contents of the page with arbitrary content and make it appear to be hosted by the website hosting the standalone viewer HTML file. This issue has been fixed in version 2.5.7. To workaround, setting the Content-Security-Policy header to script-src-attr 'none' will block execution of inline event handlers, mitigating this vulnerability. Don't host pannellum.htm on a domain that shares cookies with user authentication to mitigate XSS risk.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pannellum ≤2.5.6 allows XSS via hot spot attributes that set arbitrary HTML event handlers, exploitable without user interaction from malicious JSON configs.
Vulnerability
Overview
The Pannellum panorama viewer (versions 2.5.6 and earlier) contains a cross-site scripting (XSS) vulnerability in its hot spot configuration handling. The attributes property of hot spots allowed arbitrary HTML attributes to be set via setAttribute, without sanitizing event handler attributes such as onclick, onmouseover, or others [1][3]. This bypasses the protection offered by the escapeHTML parameter because that parameter only escapes text content, not attribute injection [1].
Attack
Vector and Exploitation
An attacker can craft a malicious JSON configuration file that includes hot spots with event handler attributes (e.g., onload, onerror, onmouseenter) set to attacker-controlled JavaScript code [1][3]. Because certain events fire automatically when the viewer loads (such as onerror for missing images or onload for elements), visiting a URL pointing to the standalone pannellum.htm file with such a malicious config triggers the vulnerability with no additional user interaction beyond the page load [1][3]. This affects any site hosting the standalone viewer HTML file or using untrusted JSON configs [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the website hosting pannellum.htm. The attacker can, for example, replace page content with arbitrary phishing forms or malware downloads, making the page appear legitimate and hosted by the vulnerable domain [1][3]. Because the malicious script runs in the same origin, any cookies or authentication tokens for that domain are accessible, leading to session hijacking and further compromise [1].
Mitigation
The vulnerability has been fixed in version 2.5.7 by filtering out attributes starting with on and href when escapeHTML is enabled [4]. Users should upgrade to this version immediately. As a workaround, setting the Content-Security-Policy header to script-src-attr 'none' will block execution of inline event handlers, preventing the exploit even on vulnerable versions [1][3]. Additionally, avoid hosting pannellum.htm on a domain that shares cookies with user authentication to limit XSS impact [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pannellumnpm | >= 2.5.0, < 2.5.7 | 2.5.7 |
Affected products
2Patches
19391ef8da6a6Fix XSS vulnerability in hot spot attribute handling.
1 file changed · +13 −1
src/js/pannellum.js+13 −1 modified@@ -1734,7 +1734,19 @@ function createHotSpot(hs) { a.href = sanitizeURL(hs.URL, true); if (hs.attributes) { for (var key in hs.attributes) { - a.setAttribute(key, hs.attributes[key]); + // The setAttribute method converts the key to a lowercase + // string, so we do this conversion ourselves, before examining + // it (and we also remove all non-ASCII characters) + key = String(key).toLowerCase().replace(/[^a-z]/g, ''); + if (!initialConfig.escapeHTML || + (!key.startsWith('on') && !key.includes('href'))) { + // setAttribute is an injection sink, so we need to filter + // out HTML event handler attributes and href (which is + // specifically sanitized above) to avoid XSS + a.setAttribute(key, hs.attributes[key]); + } else { + console.log('Hot spot attribute skipped.'); + } } } else { a.target = '_blank';
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8423-w5wx-h2r6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27210ghsaADVISORY
- github.com/mpetroff/pannellum/commit/9391ef8da6a6a98c6a9f8c97f101adb900523681ghsax_refsource_MISCWEB
- github.com/mpetroff/pannellum/security/advisories/GHSA-8423-w5wx-h2r6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.