Stored Cross-site Scripting in LinkAce Plugin by Kovah
CVE-2026-27458

8.7HIGH

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 21 February 2026

What is CVE-2026-27458?

A Stored Cross-site Scripting vulnerability in the LinkAce archive plugin allows authenticated users to inject malicious payloads through the Atom feed endpoint for lists (/lists/feed). This flaw originates from improper output sanitization of list descriptions using Blade's raw syntax within a CDATA block, enabling attackers to escape the CDATA section and embed SVG elements directly into the Atom XML document. Consequently, this results in arbitrary JavaScript execution within the browser when the feed URL is accessed. This vulnerability has been resolved in version 2.4.3.

Affected Version(s)

LinkAce < 2.4.3

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/Kovah/LinkAce/commit/eb5ba2abe05177ffa...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27458 Data

JSON