XSS in Kovah Linkace

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists (/lists/feed). An authenticated user can inject a CDATA-breaking…

EPSS: 0.000 (3.7th percentile) — read the EPSS interpretation.

Affected products

Kovah Linkace — versions < 2.4.3

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA-2r9p-95xj-p583 (x_refsource_CONFIRM)
https://github.com/Kovah/LinkAce/commit/eb5ba2abe05177ffa678baac0aa3f9c48b47d2f0 (x_refsource_MISC)