CVE-2026-45343
LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
| CWE | CWE-79 |
| Vendor | kovah |
| Product | linkace |
| Published | May 28, 2026 |
| Last Updated | May 30, 2026 |
Get instant alerts for kovah linkace
Be the first to know when new unknown vulnerabilities affecting kovah linkace are published โ delivered to Slack, Telegram or Discord.