Skip to main content

LinkAce CVE-2026-45343

| EUVDEUVD-2026-33055 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-28 GitHub_M
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 00:00 vuln.today
Patch available
May 28, 2026 - 23:02 EUVD
CVSS changed
May 28, 2026 - 22:22 NVD
8.5 (HIGH)
CVE Published
May 28, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.

AnalysisAI

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persistent JavaScript payload in the administrator-facing audit log via their OAuth display name and a subsequent API token creation. When an admin visits /system/audit, the payload executes in their browser, enabling session cookie theft, CSRF token exfiltration from the la-app-data meta tag, and full impersonation of admin privileges. No public exploit identified at time of analysis, but a vendor patch (2.5.6) and GitHub Security Advisory GHSA-jx4g-ph82-x9mm are available.

Technical ContextAI

LinkAce is a self-hosted PHP/Laravel-based bookmark and link archival application maintained by Kovah (CPE cpe:2.3:a:kovah:linkace). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a failure to HTML-encode user-controlled identity attributes - the OAuth display name - when they are rendered into the administrative audit log view at /system/audit. Because LinkAce supports SSO/OAuth as one of its authentication backends, the display name field is populated from an external identity provider and is trusted by the audit-log rendering path. Combined with the application's exposure of the CSRF token in a la-app-data meta tag, the XSS sink in a privileged admin view becomes a vehicle for arbitrary authenticated admin-context actions.

RemediationAI

Vendor-released patch: upgrade to LinkAce 2.5.6 or later, which is the fixed release identified in the vendor advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-jx4g-ph82-x9mm. If immediate upgrade is not possible, operators can temporarily disable SSO/OAuth authentication and require local accounts (trade-off: disrupts SSO-dependent user workflows and removes centralized identity management), or restrict OAuth login to a trusted identity provider that enforces server-side validation/sanitization of display names (trade-off: relies on IdP policy and does not protect against compromised IdP accounts). As an additional compensating control, administrators should avoid visiting /system/audit until patched, since exploitation requires the admin to render the audit log; this reduces but does not eliminate exposure because any admin browsing the page triggers the payload.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2026-45343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy