Description
LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required — the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that because the output sits inside <![CDATA[...]]>, an attacker can inject the sequence ]]> to close the CDATA section prematurely, then inject arbitrary XML/SVG elements that the browser parses and executes natively as part of the Atom document. This issue has been fixed in version 2.4.3.
Published: 2026-02-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Atom feed
Action: Patch Now
AI Analysis

Impact

An authenticated LinkAce user can inject a payload that breaks the XML CDATA wrapper in the Atom feed endpoint for lists. The attacker’s payload closes the CDATA block, injects a native SVG element with an onload handler, and causes the browser’s XML parser to execute arbitrary JavaScript when the feed URL is opened. The script runs in the victim’s browser context, allowing attacker‑controlled code execution, data theft, or defacement. The vulnerability is limited to the Atom feed rendering context and does not allow arbitrary remote code execution on the server side.

Affected Systems

Kovah:LinkAce, versions 2.4.2 and earlier are affected. The flaw was addressed in version 2.4.3 and later.

Risk and Exploitability

The flaw has a CVSS score of 8.7, reflecting high client‑side impact. The EPSS score is below 1%, suggesting that exploitation attempts are rare but not impossible. The issue is not listed in the CISA KEV catalog. A successful exploit requires an authenticated user to inject the payload; the script will then execute in any browser that fetches the Atom feed, including the attacker’s own. Thus the attack surface is moderate but the potential damage to users’ browsers is high.

Generated by OpenCVE AI on April 17, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LinkAce installation to version 2.4.3 or later to apply the vendor patch.
  • If upgrading immediately is not feasible, disable or restrict access to the Atom feed endpoint so that only trusted users can fetch it, or require authentication for any feed request.
  • As an additional defensive measure, implement a Content-Security-Policy header for the Atom feed responses to prevent inline script execution or restrict SVG usage.

Generated by OpenCVE AI on April 17, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Linkace
Linkace linkace
CPEs cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*
Vendors & Products Linkace
Linkace linkace
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Kovah
Kovah linkace
Vendors & Products Kovah
Kovah linkace

Sat, 21 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required — the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that because the output sits inside <![CDATA[...]]>, an attacker can inject the sequence ]]> to close the CDATA section prematurely, then inject arbitrary XML/SVG elements that the browser parses and executes natively as part of the Atom document. This issue has been fixed in version 2.4.3.
Title LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Kovah Linkace
Linkace Linkace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:55:40.498Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27458

cve-icon Vulnrichment

Updated: 2026-02-24T18:55:31.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T07:16:13.407

Modified: 2026-02-24T15:03:33.153

Link: CVE-2026-27458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses