CVE-2026-7501 - Vulnerability Details

- LinkStackOrg LinkStack UserController.php editPage cross site scripting

Description

A weakness has been identified in LinkStackOrg LinkStack up to 4.8.6. Impacted is the function editPage of the file app/Http/Controllers/UserController.php. Executing a manipulation of the argument pageDescription can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through a pull request but has not reacted yet.

Published: 2026-04-30

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A weakness in the editPage function of LinkStackOrg LinkStack allows an attacker to inject malicious script via the pageDescription parameter. The flaw is a classic stored cross‑site scripting issue, so injected payloads will persist in the database and execute in any user’s browser that views the affected page. This can permit theft of session cookies, defacement or distribution of malware to site users and can compromise confidentiality, integrity and availability of the application data.

Affected Systems

LinkStackOrg LinkStack versions up to and including 4.8.6 are affected. The vulnerability resides in the file app/Http/Controllers/UserController.php of the project hosted on GitHub. No other products are listed as impacted.

Risk and Exploitability

The CVSS base score is 5.1, indicating moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the public availability of an exploit code suggests it is actively exploitable. Attackers can launch the attack remotely by sending crafted requests containing malicious pageDescription data; no special privileges or local access are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LinkStackOrg

LinkStack

affected

Version	Status	Constraints
`4.8.0`	affected	—
`4.8.1`	affected	—
`4.8.2`	affected	—
`4.8.3`	affected	—
`4.8.4`	affected	—
`4.8.5`	affected	—
`4.8.6`	affected	—

No data.

Vendor Product Confidence Versions

Linkstack

93%

Version	Status	Scheme	Platform
`4.8.0`	affected	semver	—
`4.8.1`	affected	semver	—
`4.8.2`	affected	semver	—
`4.8.3`	affected	semver	—
`4.8.4`	affected	semver	—
`4.8.5`	affected	semver	—
`4.8.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LinkStack to a version newer than 4.8.6 that contains the input sanitization patch for pageDescription.
If upgrading is not immediately possible, add server‑side output encoding or a strict whitelist to sanitize the pageDescription value before storing or rendering it.
Continuously monitor application logs for abnormal input containing script tags and any unauthorized redirects or session hijacking attempts.

Generated by OpenCVE AI on May 1, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/LinkStackOrg/LinkStack/
https://github.com/LinkStackOrg/LinkStack/pull/974
https://github.com/az10b/security-advisories/blob/main/stored_xss_linkstack.md
https://vuldb.com/submit/801651
https://vuldb.com/vuln/360311
https://vuldb.com/vuln/360311/cti

History

Fri, 01 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linkstack Linkstack linkstack
Vendors & Products		Linkstack Linkstack linkstack

Thu, 30 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in LinkStackOrg LinkStack up to 4.8.6. Impacted is the function editPage of the file app/Http/Controllers/UserController.php. Executing a manipulation of the argument pageDescription can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through a pull request but has not reacted yet.
Title		LinkStackOrg LinkStack UserController.php editPage cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/LinkStackOrg/LinkStack/ https://github.com/LinkStackOrg/LinkStack/pull/974 https://github.com/az10b/security-advisories/blob/main/stored_xss_linkstack.md https://vuldb.com/submit/801651 https://vuldb.com/vuln/360311 https://vuldb.com/vuln/360311/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Linkstack Linkstack

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-30T20:45:12.021Z

Updated: 2026-05-01T19:30:37.795Z

Reserved: 2026-04-30T14:38:39.545Z

Link: CVE-2026-7501

Vulnrichment

Updated: 2026-05-01T16:19:29.173Z

NVD

Status : Deferred

Published: 2026-04-30T21:16:34.360

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7501

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object