CVE-2026-42455

UNKNOWN 0.0

LinkWarden: Stored XSS via Client-Side Archive Upload (Unsanitized HTML served from same origin)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches.

CWE	CWE-79
Vendor	linkwarden
Product	linkwarden
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for linkwarden linkwarden

Be the first to know when new unknown vulnerabilities affecting linkwarden linkwarden are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

linkwarden / linkwarden

<= 2.14.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/linkwarden/linkwarden/security/advisories/GHSA-fjvg-mch3-j3vg