216.73.217.22

CVE-2026-42455

· Published 09/05/2026 00:16 · Modified 09/05/2026 00:16

Labels: CVE-2026-42455 2026-05-09CVE-2026-42455CWE-79[email protected]

Essential information

Published
09/05/2026 00:16
Modified
09/05/2026 00:16
Author
Creator
CVSS
8.8 HIGH (v3) 8.8 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
linkwarden / linkwarden cpe:2.3:a:linkwarden:linkwarden:<2.14.0:*:*:*:*:*:*:*

References