HarborGuard / CVE
Back to search
HIGHCVE-2026-45343Published Modified CNA GitHub_M

CVE-2026-45343: LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in LinkAce allows a low-privilege authenticated user to plant a persistent JavaScript payload in the administrator audit log. The attack requires only a low-privilege account via SSO/OAuth and passive victim interaction: an admin simply navigating to /system/audit triggers the payload in their browser. Successful exploitation gives the attacker full control over the admin session, enabling session cookie theft, CSRF token exfiltration, and arbitrary admin-level actions. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-45343 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle LinkAce. Any image running a LinkAce version below 2.5.6 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.5 (High) and weights it against each customer environment's compliance policy before routing it to the appropriate team inbox. Per-environment context such as whether SSO/OAuth is enabled in the scanned image's configuration is surfaced alongside the finding to help prioritize response.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version appears.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the LinkAce instance over the network to authenticate via SSO/OAuth and plant the payload; the victim admin must also reach the audit log endpoint over the network.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker only needs a valid SSO/OAuth identity to set a malicious display name and create an API token.

  • Victim interactionRequired

    An administrator must navigate to /system/audit in their browser for the stored payload to execute, making this a passive social-engineering or wait-for-routine-action scenario.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the payload is planted; no race conditions or special environmental factors are required to trigger execution.

Blast Radius

  • Reads the admin session cookie, allowing the attacker to authenticate as the administrator from a separate session.
  • Extracts the CSRF token exposed in the la-app-data meta tag, enabling forged state-changing requests on behalf of the admin.
  • Performs any action the admin can take inside LinkAce, including modifying link archives, managing users, or changing system configuration.

How HarborGuard Handles This

Available on HarborGuard: images containing a LinkAce version below 2.5.6 are flagged as affected by CVE-2026-45343 as soon as the advisory is ingested. Because no upstream patch exists yet, HarborGuard re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically for customers with auto-remediation enabled the moment a fix version is published. In the interim, compensating controls worth considering include network-policy isolation that restricts which identities can register via SSO/OAuth, egress filtering on the LinkAce host to limit exfiltration paths if a payload fires, and review of audit-log access to minimize the number of admin accounts routinely browsing /system/audit. HarborGuard will surface the rebuild and open a PR against affected workloads without additional configuration once the upstream fix is available.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Kovah / LinkAce
    < 2.5.6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References