CVE-2026-45343
Deferred Deferred - Pending Action
Stored XSS in LinkAce via OAuth Display Name

Publication date: 2026-05-28

Last updated on: 2026-05-30

Assigner: GitHub, Inc.

Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-30
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45343
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linkace linkace to 2.5.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows low-privilege users to execute arbitrary JavaScript in an administrator's browser session, potentially leading to session cookie theft and CSRF token exfiltration.

Such unauthorized access and data exposure could compromise sensitive information and administrative controls, which may negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in LinkAce versions prior to 2.5.6. It affects instances that use SSO/OAuth authentication. A low-privilege user can set their OAuth display name to a malicious script and create an API token, which plants a persistent XSS payload in the audit log. When an administrator visits the audit log page, the malicious script executes in the admin's browser.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary JavaScript in an administrator's browser session. This can lead to session cookie theft, exfiltration of CSRF tokens, or performing any actions that the administrator is authorized to do. Essentially, it can compromise the administrator's account and control over the LinkAce instance.

Mitigation Strategies

To mitigate this vulnerability, upgrade LinkAce to version 2.5.6 or later, where the stored cross-site scripting issue has been fixed.

Additionally, review and monitor OAuth display names and API tokens for suspicious or malicious scripts, especially in audit logs.

Detection Guidance

To detect this vulnerability, you should check if your LinkAce instance is running a version prior to 2.5.6 and if it uses SSO/OAuth authentication.

Specifically, you can inspect the audit log for suspicious entries where the OAuth display name contains potentially malicious JavaScript code.

Since the vulnerability involves stored XSS in the audit log, you can use commands to query the database or logs for unusual script tags or HTML elements in the OAuth display name fields.

  • Use a database query to find OAuth display names containing script tags, for example in SQL: SELECT * FROM users WHERE oauth_display_name LIKE '%<script>%';
  • Check the audit log files or database entries for HTML or JavaScript code injected in the display name fields.
  • Monitor network traffic for suspicious API token creation requests with unusual OAuth display names.

Additionally, reviewing the /system/audit page in the admin interface for unexpected script execution or unusual entries can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart