Linkwarden
Monthly
Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.
Server-Side Request Forgery in Linkwarden's fetchTitleAndHeaders function enables authenticated users to perform arbitrary HTTP requests against internal services and infrastructure. The vulnerability stems from inadequate URL validation that only verifies protocol prefixes (http:// or https://) without blocking internal address spaces, allowing attackers to scan internal networks, access metadata endpoints (e.g., cloud provider instance metadata), and potentially exfiltrate sensitive data from services not exposed to the internet. Exploitation requires only low-privilege authentication (PR:L) and can impact resources beyond the vulnerable application's security scope (S:C). Patched in version 2.13.0.
Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.
Server-Side Request Forgery in Linkwarden's fetchTitleAndHeaders function enables authenticated users to perform arbitrary HTTP requests against internal services and infrastructure. The vulnerability stems from inadequate URL validation that only verifies protocol prefixes (http:// or https://) without blocking internal address spaces, allowing attackers to scan internal networks, access metadata endpoints (e.g., cloud provider instance metadata), and potentially exfiltrate sensitive data from services not exposed to the internet. Exploitation requires only low-privilege authentication (PR:L) and can impact resources beyond the vulnerable application's security scope (S:C). Patched in version 2.13.0.