Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
Published: 2026-05-28
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LinkAce, a self‑hosted link collection platform, has a stored cross‑site scripting vulnerability that is triggered through an OAuth display name. A low‑privilege user can set a malicious script as their OAuth display name and then generate an API token, which causes the payload to be written into the audit log. When any administrator visits the audit log page, the script executes inside the admin’s browser context, allowing the attacker to steal session cookies, exfiltrate CSRF tokens, or perform any other action that the administrator can perform.

Affected Systems

The flaw affects all installations of Kovah LinkAce prior to version 2.5.6 that are configured to use SSO/OAuth authentication. Versions 2.5.6 and later include the necessary patch. Administrators of older deployments are at risk until they upgrade or otherwise mitigate the issue.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalogue, but the attack remains feasible because it requires only that an attacker have an OAuth account, which is typically available to any user. The exploitation path is straightforward: set a malicious display name, create an API token, and wait for an administrator to view the audit logs. The payload runs in the admin’s browser context, providing complete control over that session.

Generated by OpenCVE AI on May 28, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to LinkAce 2.5.6 or newer.
  • Sanitize or disallow script‑containing characters in OAuth display names before storing or rendering them; adjust the SSO configuration to strip or encode such values.
  • Delete or restrict access to the affected audit log entries and, if feasible, temporarily disable audit log visibility until the patch is applied.

Generated by OpenCVE AI on May 28, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Kovah
Kovah linkace
Vendors & Products Kovah
Kovah linkace

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
Title LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kovah Linkace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:19:54.790Z

Reserved: 2026-05-11T21:40:08.177Z

Link: CVE-2026-45343

cve-icon Vulnrichment

Updated: 2026-05-30T02:19:49.337Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T22:17:00.367

Modified: 2026-05-30T04:17:22.067

Link: CVE-2026-45343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:30:28Z

Weaknesses