Skip to main content

Linkace CVE-2024-56508

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-12-27 security-advisories@github.com
7.6
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 27, 2024 - 16:15 cve.org
HIGH 7.6

DescriptionCVE.org

LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads execute when the uploaded links are accessed, leading to potential reflected or persistent XSS scenarios. This vulnerability is fixed in 1.15.6.

AnalysisAI

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads execute when the uploaded links are accessed, leading to potential reflected or persistent XSS scenarios. This vulnerability is fixed in 1.15.6. Affected products include: Linkace. Version information: Prior to 1.15.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2024-56508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy