CVE-2026-42455 | THREATINT

Description

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches.

PUBLISHED Reserved 2026-04-27 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

<= 2.14.0

affected

References

github.com/...warden/security/advisories/GHSA-fjvg-mch3-j3vg

cve.org (CVE-2026-42455)

nvd.nist.gov (CVE-2026-42455)

Download JSON