CVE-2025-49588 HIGH

CVE-2025-49588: Linkwarden Local File Inclusion Vulnerability

Vendor Linkwarden
Product linkwarden
Weakness CWE-73
Published July 2, 2025
Last update July 2, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other user's links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication.

Key dates

02Disclosure timeline

July 2, 2025 CVE published
July 2, 2025 Record updated