The vulnerability is a stored cross‑site scripting flaw that originates from the archive upload endpoint in Linkwarden. HTML files can be uploaded without any sanitization of embedded JavaScript. When a user later retrieves the archived page, the server serves the document with a text/html content type and no content‑security‑policy header. Because the response is served from the same origin as the authenticated Linkwarden session, an attacker who can upload a malicious archive gains the ability to run JavaScript in the context of that session and may potentially steal authentication tokens, based on the description, it is inferred that the attacker could compromise user session data. The weakness is a classic client‑side injection problem.

This issue affects the self‑hosted, open‑source Linkwarden bookmark manager provided by the vendor linkwarden. All releases up to and including 2.14.0 are vulnerable; versions newer than 2.14.0 are not known to contain the flaw.

The CVSS score of 8.8 reflects high severity, and the attack path is straightforward: an authenticated user with upload permissions can directly place malicious script in an archived page. Because the server does not enforce any CSP header, the script runs with full privileges of the logged‑in user. No exploit code is publicly available, and the vulnerability is not listed in the CISA KEV catalog, but the absence of an mitigation measure suggests that the risk remains high in environments that allow custom archive uploads.