These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A critical vulnerability in LinkAce, a self-hosted link archiving application, allows remote command execution through the setup database configuration flow. The issue affects versions prior to 2.5.6 and stems from improper input validation during initial instance setup. When an uninitialized LinkAce instance is accessed, the setup endpoints accept attacker-controlled database credential fields and write [truncated]
A stored cross-site scripting (XSS) vulnerability in LinkAce prior to version 2.5.6 allows low-privilege attackers to execute arbitrary JavaScript in administrator browser sessions. The vulnerability specifically affects instances configured with SSO/OAuth authentication. An attacker can plant a persistent XSS payload by setting their OAuth display name to malicious script content and subsequently creatin [truncated]
LinkAce versions prior to 2.5.6 contain an Insecure Direct Object Reference (IDOR) vulnerability in the authorization policy layer. The flaw allows any authenticated user to modify resources owned by other users, including links, lists, tags, and notes. Both the web interface and REST API are affected. The root cause is in the update() methods of LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy, whic [truncated]