CVE-2026-45343
Stored XSS in LinkAce via OAuth Display Name
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkace | linkace | to 2.5.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows low-privilege users to execute arbitrary JavaScript in an administrator's browser session, potentially leading to session cookie theft and CSRF token exfiltration.
Such unauthorized access and data exposure could compromise sensitive information and administrative controls, which may negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in LinkAce versions prior to 2.5.6. It affects instances that use SSO/OAuth authentication. A low-privilege user can set their OAuth display name to a malicious script and create an API token, which plants a persistent XSS payload in the audit log. When an administrator visits the audit log page, the malicious script executes in the admin's browser.
How can this vulnerability impact me? :
The vulnerability allows an attacker to execute arbitrary JavaScript in an administrator's browser session. This can lead to session cookie theft, exfiltration of CSRF tokens, or performing any actions that the administrator is authorized to do. Essentially, it can compromise the administrator's account and control over the LinkAce instance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade LinkAce to version 2.5.6 or later, where the stored cross-site scripting issue has been fixed.
Additionally, review and monitor OAuth display names and API tokens for suspicious or malicious scripts, especially in audit logs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you should check if your LinkAce instance is running a version prior to 2.5.6 and if it uses SSO/OAuth authentication.
Specifically, you can inspect the audit log for suspicious entries where the OAuth display name contains potentially malicious JavaScript code.
Since the vulnerability involves stored XSS in the audit log, you can use commands to query the database or logs for unusual script tags or HTML elements in the OAuth display name fields.
- Use a database query to find OAuth display names containing script tags, for example in SQL: SELECT * FROM users WHERE oauth_display_name LIKE '%<script>%';
- Check the audit log files or database entries for HTML or JavaScript code injected in the display name fields.
- Monitor network traffic for suspicious API token creation requests with unusual OAuth display names.
Additionally, reviewing the /system/audit page in the admin interface for unexpected script execution or unusual entries can help detect exploitation attempts.