Linkwarden
CVE-2026-42455
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches.
AnalysisAI
Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.
Technical ContextAI
Linkwarden is a self-hosted collaborative bookmark manager written in JavaScript (likely Next.js/React based on typical self-hosted webapp stacks). This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the archive upload and retrieval mechanism. The application's REST API endpoint POST /api/v1/archives/[linkId]?format=4 accepts HTML file uploads (Content-Type: text/html) without server-side sanitization or validation of embedded JavaScript. When retrieved via GET /api/v1/archives/[linkId]?format=4, the stored HTML is served directly from the Linkwarden origin with text/html Content-Type but critically lacks Content-Security-Policy headers that would restrict script execution. This creates a stored XSS condition where malicious JavaScript persists server-side and executes in the browser context of any user who accesses the archived content, inheriting their authenticated session privileges.
RemediationAI
No vendor-released patch exists at time of analysis per GHSA-fjvg-mch3-j3vg advisory statement 'there are no publicly available patches.' Organizations running Linkwarden 2.14.0 or earlier should implement these compensating controls immediately: (1) Deploy a reverse proxy (nginx, Caddy, Traefik) in front of Linkwarden and configure strict Content-Security-Policy headers for all /api/v1/archives responses - specifically set 'Content-Security-Policy: default-src none; script-src none; object-src none; base-uri none' to block JavaScript execution. Trade-off: may break legitimate HTML archive display features if archives contain intentional scripts. (2) Restrict archive upload permissions to trusted administrative users only via application access controls or reverse proxy authentication - disable public/anonymous uploads to the /api/v1/archives endpoint. Trade-off: reduces collaborative functionality for untrusted team members. (3) Implement file type validation at the reverse proxy layer to reject text/html uploads entirely, forcing users to archive as PDF or screenshot formats instead. Trade-off: eliminates HTML archiving capability. Monitor the GitHub repository (https://github.com/linkwarden/linkwarden) and subscribe to GHSA-fjvg-mch3-j3vg for patch release notifications. Consider temporarily disabling archive upload features if compensating controls cannot be deployed quickly.
More in Linkwarden
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today