CVE-2025-59424 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability affecting Kovah's LinkAce product versions prior to 2.3.1. LinkAce is a self-hosted web application designed to archive and manage collections of website links. The vulnerability exists on the /system/audit page, where the application fails to properly sanitize the username field before rendering it in the audit log. An authenticated attacker can exploit this by setting their username to a malicious JavaScript payload. When this user performs an action that is logged (such as generating or revoking an API token), the malicious script is stored in the database. Subsequently, when any user—especially administrators—views the /system/audit page, the stored script executes in their browser context. This can lead to theft of session cookies, credential theft, or unauthorized actions performed with the privileges of the victim user. The vulnerability requires the attacker to be authenticated and involves user interaction (viewing the audit page) but does not require elevated privileges to inject the payload. The CVSS v3.1 score is 7.3 (high), reflecting the network attack vector, low attack complexity, required privileges, and user interaction. The impact on confidentiality and integrity is high, while availability is not affected. No known exploits in the wild have been reported as of the publication date, and the issue is fixed in LinkAce version 2.3.1.

For European organizations using LinkAce versions prior to 2.3.1, this vulnerability poses a significant risk, especially in environments where multiple users, including administrators, access the audit logs. Successful exploitation could allow attackers to hijack administrator sessions, escalate privileges, or perform unauthorized actions within the LinkAce application. Given that LinkAce is used to manage collections of web links, compromise could lead to further lateral movement or data exposure if attackers leverage the application as a foothold. The risk is amplified in organizations with stringent data protection requirements under GDPR, as unauthorized access or data leakage could lead to regulatory penalties and reputational damage. Additionally, organizations relying on LinkAce for operational workflows may face disruption if administrative accounts are compromised. Although exploitation requires authentication and user interaction, insider threats or compromised user credentials could facilitate attacks. The lack of known exploits in the wild suggests the vulnerability is not yet actively exploited, but the ease of exploitation and high impact warrant urgent remediation.

1. Immediate upgrade of LinkAce to version 2.3.1 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement strict access controls and monitoring on the /system/audit page to limit exposure to trusted administrators only. 3. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of attacker authentication. 4. Conduct regular audits of usernames and user-generated content for suspicious or anomalous entries that may indicate attempted exploitation. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context, mitigating the impact of XSS payloads. 6. Educate administrators and users about the risks of clicking on suspicious links or interacting with untrusted content within the application. 7. Monitor application logs and network traffic for unusual activity that could indicate exploitation attempts. 8. If upgrading immediately is not feasible, consider temporarily disabling or restricting access to the /system/audit page to minimize risk.