CVE-2025-49588

HIGH

Linkwarden <2.10.2 - Info Disclosure

Title source: llm

Description

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other user's links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication.

References (1)

[Vendor Advisory] https://github.com/linkwarden/linkwarden/security/advisories/GHSA-rfc2-x8hr-536q

Scores

CVSS v4 8.7

EPSS 0.0039

EPSS Percentile 59.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-73

Status published

Products (1)

linkwarden/linkwarden = 2.10.2

Published Jul 02, 2025

Tracked Since Feb 18, 2026