CVE-2025-53838 HIGH

CVE-2025-53838: LinkAce has a Stored One Click XSS vulnerability

Vendor Kovah
Product LinkAce
Weakness CWE-79 · XSS
Published September 8, 2025
Last update September 8, 2025

CVSS base score

8.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LinkAce is a self-hosted archive to collect website links. A stored cross-site scripting (XSS) vulnerability was discovered in versions prior to 2.1.9 that allows an attacker to inject arbitrary JavaScript, which is then executed in the context of a user's browser when the malicious link is clicked. This is a one-click XSS, meaning the victim only needs to click a crafted link — no further interaction is required. The application contains a stored XSS vulnerability due to insufficient filtering and escaping of user-supplied data inserted into link attributes. Malicious JavaScript code can be saved in the database along with the link and executed in the user’s browser when clicking the link, leading to arbitrary script execution within the context of the site. Version 2.1.9 fixes the issue.

Key dates

02Disclosure timeline

September 8, 2025 CVE published
September 8, 2025 Record updated