Stored Cross-Site Scripting in LinkAce by Kovah
CVE-2025-53838

8.4HIGH

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 8 September 2025

What is CVE-2025-53838?

A stored cross-site scripting vulnerability has been identified in LinkAce, a self-hosted link archiving application. This vulnerability allows attackers to inject malicious JavaScript code that gets executed in a user’s browser when they click on a crafted link. The issue arises from inadequate filtering and escaping of user-supplied data within link attributes, enabling the insertion of harmful scripts into the database. The vulnerability is mitigated in version 2.1.9, which addresses the problem and enhances overall security.

Affected Version(s)

LinkAce < 2.1.9

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/Kovah/LinkAce/commit/4da467a4b0fbb1650...

x_refsource_MISC

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Jul 9, 2025