CVE-2026-45343 HIGH

CVE-2026-45343: LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking

Vendor Kovah
Product LinkAce
Weakness CWE-79 · XSS
Published May 28, 2026
Last update May 30, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 30, 2026 Record updated