Executive Summary

CVE-2026-42455 is a Stored Cross-Site Scripting (XSS) vulnerability in Linkwarden versions up to 2.14.0. The archive upload endpoint accepts HTML files without sanitizing embedded JavaScript content. When these archives are later accessed, the unsanitized HTML is served without any Content-Security-Policy header, allowing arbitrary JavaScript to execute in the context of an authenticated user's session.

This happens because the upload path bypasses server-side sanitization that is otherwise applied in other archival handlers, enabling attackers to upload malicious HTML files that execute harmful scripts when viewed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to attackers executing arbitrary JavaScript within authenticated user sessions. This can result in session token theft, session hijacking, and exfiltration of sensitive data such as bookmarks, collections, and user information stored in Linkwarden.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Linkwarden instance is running version 2.14.0 or earlier and if the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files containing JavaScript without sanitization.

You can test the vulnerability by attempting to upload an HTML file with embedded JavaScript to the archive upload endpoint and then accessing it via the GET endpoint to see if the JavaScript executes.

Network detection might involve monitoring HTTP requests to the archive upload endpoint for suspicious POST requests containing HTML with script tags.

• Use curl to upload a test HTML file with JavaScript to the vulnerable endpoint: curl -X POST -H "Content-Type: text/html" --data-binary @test.html https://your-linkwarden-instance/api/v1/archives/{linkId}?format=4
• Use curl or a browser to access the uploaded archive and observe if the JavaScript executes: curl https://your-linkwarden-instance/api/v1/archives/{linkId}?format=4
• Monitor web server logs or use intrusion detection systems to flag POST requests with HTML content to the archive upload endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

Since no patches are currently available, immediate mitigation steps include restricting access to the archive upload endpoint to trusted users only.

You should disable or limit the ability to upload HTML files through the archive upload endpoint to prevent malicious JavaScript from being stored.

Implement network-level controls such as firewall rules or web application firewall (WAF) rules to block or monitor suspicious POST requests containing HTML content.

Educate users to avoid accessing untrusted or suspicious archives that may contain malicious scripts.

Monitor your Linkwarden instance for unusual activity that could indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary JavaScript execution within authenticated sessions, which can lead to theft of session tokens, hijacking of sessions, and exfiltration of sensitive data such as links, collections, and user information.

Such unauthorized access and data exfiltration can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Useful 0 Not Useful 0