Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
AnalysisAI
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persistent JavaScript payload in the administrator-facing audit log via their OAuth display name and a subsequent API token creation. When an admin visits /system/audit, the payload executes in their browser, enabling session cookie theft, CSRF token exfiltration from the la-app-data meta tag, and full impersonation of admin privileges. No public exploit identified at time of analysis, but a vendor patch (2.5.6) and GitHub Security Advisory GHSA-jx4g-ph82-x9mm are available.
Technical ContextAI
LinkAce is a self-hosted PHP/Laravel-based bookmark and link archival application maintained by Kovah (CPE cpe:2.3:a:kovah:linkace). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a failure to HTML-encode user-controlled identity attributes - the OAuth display name - when they are rendered into the administrative audit log view at /system/audit. Because LinkAce supports SSO/OAuth as one of its authentication backends, the display name field is populated from an external identity provider and is trusted by the audit-log rendering path. Combined with the application's exposure of the CSRF token in a la-app-data meta tag, the XSS sink in a privileged admin view becomes a vehicle for arbitrary authenticated admin-context actions.
RemediationAI
Vendor-released patch: upgrade to LinkAce 2.5.6 or later, which is the fixed release identified in the vendor advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-jx4g-ph82-x9mm. If immediate upgrade is not possible, operators can temporarily disable SSO/OAuth authentication and require local accounts (trade-off: disrupts SSO-dependent user workflows and removes centralized identity management), or restrict OAuth login to a trusted identity provider that enforces server-side validation/sanitization of display names (trade-off: relies on IdP policy and does not protect against compromised IdP accounts). As an additional compensating control, administrators should avoid visiting /system/audit until patched, since exploitation requires the admin to render the audit log; this reduces but does not eliminate exposure because any admin browsing the page triggers the payload.
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel
Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln
Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass
Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad
Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes
LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li
Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i
LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33055