CVE-2026-27458

Name of the Vulnerable Software and Affected Versions LinkAce versions 2.4.2 and below

Description LinkAce, a self-hosted archive for website links, is affected by a Stored Cross-site Scripting issue. An authenticated user can inject a payload into a list description via the Atom feed endpoint ('/lists/feed') that escapes the XML CDATA section and injects a native SVG element into the Atom XML document. This allows for the execution of arbitrary JavaScript when the feed URL is visited, without requiring an RSS reader or additional rendering context. The issue arises because list descriptions are output using Blade's raw syntax without sanitization within a CDATA block. Specifically, the sequence ']]>' can be injected to prematurely close the CDATA section, enabling the injection of arbitrary XML/SVG elements that are then parsed and executed by the browser.

Recommendations Update LinkAce to version 2.4.3 or later.