Arbitrary JavaScript Execution in Linkwarden by Linkwarden
CVE-2026-42455

8.8HIGH

Key Information:

Vendor: Linkwarden
Status: Linkwarden
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42455?

In Linkwarden versions 2.14.0 and earlier, the archive upload functionality is vulnerable due to a lack of proper sanitization for HTML files containing JavaScript. This oversight permits attackers to inject malicious scripts, which are executed within the context of authenticated user sessions. As the archived content is served with an incorrect Content-Type and without an adequate Content-Security-Policy header, the potential for exploitation increases significantly when users access these archives. At present, no patches are available to mitigate this issue.

Affected Version(s)

linkwarden <= 2.14.0

References

https://github.com/linkwarden/linkwarden/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42455 Data

JSON