CVE-2026-27458

{"id": "CVE-2026-27458", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-21T07:16:13.407", "references": [{"url": "https://github.com/Kovah/LinkAce/commit/eb5ba2abe05177ffa678baac0aa3f9c48b47d2f0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-2r9p-95xj-p583", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required \u2014 the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that because the output sits inside <![CDATA[...]]>, an attacker can inject the sequence ]]> to close the CDATA section prematurely, then inject arbitrary XML/SVG elements that the browser parses and executes natively as part of the Atom document. This issue has been fixed in version 2.4.3."}, {"lang": "es", "value": "LinkAce es un archivo autoalojado para recopilar enlaces de sitios web. Las versiones 2.4.2 e inferiores tienen una vulnerabilidad de cross-site scripting almacenado a trav\u00e9s del endpoint de feed Atom para listas (/lists/feed). Un usuario autenticado puede inyectar una carga \u00fatil que rompe CDATA en la descripci\u00f3n de una lista que escapa de la secci\u00f3n CDATA de XML, inyecta un elemento SVG nativo en el documento XML Atom y ejecuta JavaScript arbitrario directamente en el navegador cuando se visita la URL del feed. No se requiere un lector RSS o un contexto de renderizado adicional \u2014 el analizador XML nativo del navegador procesa el SVG inyectado y dispara el gestor de eventos onload. Esta vulnerabilidad existe porque la plantilla del feed de listas genera las descripciones de las listas utilizando la sintaxis sin procesar de Blade ({!! !!}) sin sanitizaci\u00f3n dentro de un bloque CDATA. El detalle cr\u00edtico es que, debido a que la salida se encuentra dentro de ..., un atacante puede inyectar la secuencia ]]&gt; para cerrar la secci\u00f3n CDATA prematuramente, y luego inyectar elementos XML/SVG arbitrarios que el navegador analiza y ejecuta de forma nativa como parte del documento Atom. Este problema ha sido solucionado en la versi\u00f3n 2.4.3."}], "lastModified": "2026-02-24T15:03:33.153", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71CF22B8-6AF6-46D6-B105-A04C26157590", "versionEndExcluding": "2.4.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}