Skip to main content

Linkace CVE-2025-53838

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-09-08 security-advisories@github.com
XSS Linkace
8.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 19:11 vuln.today
Patch released
Mar 28, 2026 - 19:11 nvd
Patch available
PoC Detected
Oct 06, 2025 - 15:02 vuln.today
Public exploit code
CVE Published
Sep 08, 2025 - 20:15 nvd
HIGH 8.4

DescriptionNVD

LinkAce is a self-hosted archive to collect website links. A stored cross-site scripting (XSS) vulnerability was discovered in versions prior to 2.1.9 that allows an attacker to inject arbitrary JavaScript, which is then executed in the context of a user's browser when the malicious link is clicked. This is a one-click XSS, meaning the victim only needs to click a crafted link - no further interaction is required. The application contains a stored XSS vulnerability due to insufficient filtering and escaping of user-supplied data inserted into link attributes. Malicious JavaScript code can be saved in the database along with the link and executed in the user’s browser when clicking the link, leading to arbitrary script execution within the context of the site. Version 2.1.9 fixes the issue.

AnalysisAI

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. LinkAce is a self-hosted archive to collect website links. A stored cross-site scripting (XSS) vulnerability was discovered in versions prior to 2.1.9 that allows an attacker to inject arbitrary JavaScript, which is then executed in the context of a user's browser when the malicious link is clicked. This is a one-click XSS, meaning the victim only needs to click a crafted link - no further interaction is required. The application contains a stored XSS vulnerability due to insufficient filtering and escaping of user-supplied data inserted into link attributes. Malicious JavaScript code can be saved in the database along with the link and executed in the user’s browser when clicking the link, leading to arbitrary script execution within the context of the site. Version 2.1.9 fixes the issue. Affected products include: Linkace. Version information: prior to 2.1.9.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

Share

CVE-2025-53838 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy