Only the latest release on main is actively maintained.
| Version | Supported |
|---|---|
main (latest) |
✅ |
| older commits | ❌ |
Please do not report security vulnerabilities through public GitHub Issues.
Instead, use one of these private channels:
- GitHub Security Advisories (preferred): Open a draft advisory
- Email: contact the maintainer via the email listed on the GitHub profile
- Description of the vulnerability and potential impact
- Steps to reproduce (minimal reproduction if possible)
- Affected versions / configurations
- Any proposed fix or mitigation
- Acknowledgement: within 48 hours
- Triage & assessment: within 7 days
- Fix & coordinated disclosure: within 30 days for critical issues
immich-folio acts as a reverse proxy in front of your private Immich instance. Security issues in scope include:
- Authentication / session bypass
- API key / secret leakage
- XSS vulnerabilities in gallery pages or lightbox
- Rate-limiting bypass enabling DoS
- Insecure Docker defaults that expose the Immich backend
Out of scope: vulnerabilities in Immich itself (report those upstream at immich.app).