Description
LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a reflected cross-site scripting (XSS) vulnerability exists in the LinkAce. This issue occurs in the "URL" field of the "Edit Link" module, where user input is not properly sanitized or encoded before being reflected in the HTML response. This allows attackers to inject and execute arbitrary JavaScript in the context of the victim’s browser, leading to potential session hijacking, data theft, and unauthorized actions. This vulnerability is fixed in 1.15.6.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/Kovah/LinkAce/security/advisories/GHSA-cjcg-wj4p-pgc5
Patch x_refsource_misc
https://github.com/Kovah/LinkAce/commit/c7cd6a323a03ccd89c7f905f7d9f2afc265b7b67
Scores
CVSS v3
4.6
EPSS
0.0093
EPSS Percentile
76.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
linkace/linkace
< 1.15.6
Published
Dec 27, 2024
Tracked Since
Feb 18, 2026