cvedb.io
CVE-2026-27458
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-02-21T07:16:13.407 · Last modified 2026-06-17T10:27:11.240

Summary

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA section, injects a native SVG element into the Atom XML document, and executes arbitrary JavaScript directly in the browser when the feed URL is visited. No RSS reader or additional rendering context is required — the browser's native XML parser processes the injected SVG and fires the onload event handler. This vulnerability exists because the lists feed template outputs list descriptions using Blade's raw syntax ({!! !!}) without sanitization inside a CDATA block. The critical detail is that bec

Affected products

linkace — linkace

Does this affect you?

Add your gear to cvedb and we'll alert you only when linkace ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.