Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
CVE-2026-42455: Linkwarden versions 2.14.0 and prior: Unsanitized JavaScript in archive upload
CVE-2026-42455
Summary
A self-hosted bookmark manager, Linkwarden, has a security issue in older versions. If an attacker uploads malicious HTML files, they can run code on your server when users access the archive. To protect your server, update to the latest version of Linkwarden.
Original title
Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[...
Original description
Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches.
nvd CVSS4.0
8.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 9 May 2026 · Updated: 28 May 2026 · First seen: 9 May 2026