CVE-2026-45343 Kovah CVE debrief

Who should care

Organizations running LinkAce instances with SSO/OAuth authentication enabled, particularly those with multiple users of varying privilege levels. Security teams responsible for self-hosted link archiving solutions. Administrators who review audit logs for security monitoring purposes.

Technical summary

LinkAce versions prior to 2.5.6 contain a stored XSS vulnerability in the audit log functionality when SSO/OAuth authentication is enabled. The root cause is insufficient sanitization of OAuth display names when rendered in the administrative audit log interface. An attacker with low privileges can inject JavaScript via their OAuth display name, which persists in the audit log when they create an API token. The payload executes in the context of any administrator viewing /system/audit, with access to session cookies and the CSRF token exposed in the la-app-data meta tag. This enables complete session compromise and privilege escalation. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade LinkAce to version 2.5.6 or later to remediate this vulnerability.
• Review audit logs for suspicious OAuth display names or API token creation events prior to the upgrade date.
• Implement Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate XSS impact.
• Consider implementing additional output encoding for user-controlled data displayed in administrative interfaces.
• Monitor for unauthorized administrative actions or session anomalies that may indicate prior exploitation.

Evidence notes

Vulnerability description sourced from official CVE record and GitHub Security Advisory. CVSS 4.0 vector confirms high severity with network accessibility and significant confidentiality/integrity impacts. Fix version 2.5.6 confirmed in advisory.

Official resources