{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T22:51:05.918","vulnerabilities":[{"cve":{"id":"CVE-2026-27458","sourceIdentifier":"security-advisories@github.com","published":"2026-02-21T07:16:13.407","lastModified":"2026-02-24T15:03:33.153","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required — the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that because the output sits inside <![CDATA[...]]>, an attacker can inject the sequence ]]> to close the CDATA section prematurely, then inject arbitrary XML/SVG elements that the browser parses and executes natively as part of the Atom document. This issue has been fixed in version 2.4.3."},{"lang":"es","value":"LinkAce es un archivo autoalojado para recopilar enlaces de sitios web. Las versiones 2.4.2 e inferiores tienen una vulnerabilidad de cross-site scripting almacenado a través del endpoint de feed Atom para listas (/lists/feed). Un usuario autenticado puede inyectar una carga útil que rompe CDATA en la descripción de una lista que escapa de la sección CDATA de XML, inyecta un elemento SVG nativo en el documento XML Atom y ejecuta JavaScript arbitrario directamente en el navegador cuando se visita la URL del feed. No se requiere un lector RSS o un contexto de renderizado adicional — el analizador XML nativo del navegador procesa el SVG inyectado y dispara el gestor de eventos onload. Esta vulnerabilidad existe porque la plantilla del feed de listas genera las descripciones de las listas utilizando la sintaxis sin procesar de Blade ({!! !!}) sin sanitización dentro de un bloque CDATA. El detalle crítico es que, debido a que la salida se encuentra dentro de ..., un atacante puede inyectar la secuencia ]]&gt; para cerrar la sección CDATA prematuramente, y luego inyectar elementos XML/SVG arbitrarios que el navegador analiza y ejecuta de forma nativa como parte del documento Atom. Este problema ha sido solucionado en la versión 2.4.3."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-80"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*","versionEndExcluding":"2.4.3","matchCriteriaId":"71CF22B8-6AF6-46D6-B105-A04C26157590"}]}]}],"references":[{"url":"https://github.com/Kovah/LinkAce/commit/eb5ba2abe05177ffa678baac0aa3f9c48b47d2f0","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/Kovah/LinkAce/security/advisories/GHSA-2r9p-95xj-p583","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}