Stored Cross-Site Scripting Vulnerability in LinkAce by Kovah
CVE-2025-59424

7.3HIGH

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 18 September 2025

What is CVE-2025-59424?

LinkAce, a self-hosted archive for collecting website links, is subject to a Stored Cross-Site Scripting (XSS) vulnerability. This issue arises on the /system/audit page, where the application improperly sanitizes input from the username field before rendering it in the audit log. An authenticated attacker can exploit this vulnerability by entering a malicious JavaScript payload as their username. When actions associated with this user are recorded—such as generating or revoking an API token—the harmful script is stored within the database. Later, whenever any user, particularly administrators, accesses the /system/audit page, the script is executed in their browser, posing a significant security risk. The vulnerability has been addressed in version 2.3.1 of LinkAce.

Affected Version(s)

LinkAce < 2.3.1

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/Kovah/LinkAce/commit/c0d21b974b32f1ca2...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 18, 2025
Vulnerability Reserved
Sep 15, 2025