Skip to main content

Linkwarden CVE-2026-42455

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 09, 2026 - 02:15 vuln.today
CVSS changed
May 09, 2026 - 00:22 NVD
8.8 (HIGH)
CVE Published
May 08, 2026 - 23:10 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 23:10 nvd
HIGH 8.8

DescriptionGitHub Advisory

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches.

AnalysisAI

Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.

Technical ContextAI

Linkwarden is a self-hosted collaborative bookmark manager written in JavaScript (likely Next.js/React based on typical self-hosted webapp stacks). This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the archive upload and retrieval mechanism. The application's REST API endpoint POST /api/v1/archives/[linkId]?format=4 accepts HTML file uploads (Content-Type: text/html) without server-side sanitization or validation of embedded JavaScript. When retrieved via GET /api/v1/archives/[linkId]?format=4, the stored HTML is served directly from the Linkwarden origin with text/html Content-Type but critically lacks Content-Security-Policy headers that would restrict script execution. This creates a stored XSS condition where malicious JavaScript persists server-side and executes in the browser context of any user who accesses the archived content, inheriting their authenticated session privileges.

RemediationAI

No vendor-released patch exists at time of analysis per GHSA-fjvg-mch3-j3vg advisory statement 'there are no publicly available patches.' Organizations running Linkwarden 2.14.0 or earlier should implement these compensating controls immediately: (1) Deploy a reverse proxy (nginx, Caddy, Traefik) in front of Linkwarden and configure strict Content-Security-Policy headers for all /api/v1/archives responses - specifically set 'Content-Security-Policy: default-src none; script-src none; object-src none; base-uri none' to block JavaScript execution. Trade-off: may break legitimate HTML archive display features if archives contain intentional scripts. (2) Restrict archive upload permissions to trusted administrative users only via application access controls or reverse proxy authentication - disable public/anonymous uploads to the /api/v1/archives endpoint. Trade-off: reduces collaborative functionality for untrusted team members. (3) Implement file type validation at the reverse proxy layer to reject text/html uploads entirely, forcing users to archive as PDF or screenshot formats instead. Trade-off: eliminates HTML archiving capability. Monitor the GitHub repository (https://github.com/linkwarden/linkwarden) and subscribe to GHSA-fjvg-mch3-j3vg for patch release notifications. Consider temporarily disabling archive upload features if compensating controls cannot be deployed quickly.

Share

CVE-2026-42455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy