Skip to main content

Linkace CVE-2024-56507

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-12-27 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 27, 2024 - 16:15 nvd
MEDIUM 5.4

DescriptionNVD

LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a reflected cross-site scripting (XSS) vulnerability exists in the LinkAce. This issue occurs in the "URL" field of the "Edit Link" module, where user input is not properly sanitized or encoded before being reflected in the HTML response. This allows attackers to inject and execute arbitrary JavaScript in the context of the victim’s browser, leading to potential session hijacking, data theft, and unauthorized actions. This vulnerability is fixed in 1.15.6.

AnalysisAI

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a reflected cross-site scripting (XSS) vulnerability exists in the LinkAce. This issue occurs in the "URL" field of the "Edit Link" module, where user input is not properly sanitized or encoded before being reflected in the HTML response. This allows attackers to inject and execute arbitrary JavaScript in the context of the victim’s browser, leading to potential session hijacking, data theft, and unauthorized actions. This vulnerability is fixed in 1.15.6. Affected products include: Linkace. Version information: Prior to 1.15.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2024-56507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy