CVE-2026-27458 is a stored cross-site scripting vulnerability in Kovah LinkAce, a self-hosted link archive application. The vulnerability affects versions 2.4.2 and earlier and resides in the Atom feed endpoint (/lists/feed) that outputs list descriptions inside an XML CDATA section using Blade's raw syntax ({!! !!}) without sanitization. An authenticated user can craft a payload that prematurely closes the CDATA section by injecting the sequence ]]> and then inserts arbitrary XML/SVG elements. Because browsers natively parse the Atom XML feed, the injected SVG elements can include JavaScript event handlers such as onload, which execute immediately when the feed URL is visited. This bypasses the need for an RSS reader or additional rendering context. The flaw arises from improper neutralization of script-related HTML tags (CWE-80) within the XML feed output. The vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser context, potentially compromising confidentiality and integrity of user data. The CVSS 4.0 base score is 8.7 (high severity), reflecting network attack vector, low attack complexity, no user interaction, and partial impact on confidentiality, integrity, and availability. The issue was resolved in LinkAce version 2.4.3 by properly sanitizing output and preventing CDATA breakouts.

This vulnerability poses a significant risk to organizations using self-hosted LinkAce instances, especially those that share Atom feed URLs publicly or within trusted networks. Exploitation can lead to arbitrary JavaScript execution in the context of users accessing the feed, enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. Since the attack requires only an authenticated user to inject the payload but no interaction from victims beyond visiting the feed URL, it can be leveraged for persistent attacks against administrators or users who consume the feed. The vulnerability could also facilitate lateral movement or data exfiltration within organizations relying on LinkAce for link management. Given the high CVSS score and ease of exploitation, the impact on confidentiality and integrity is substantial, with moderate availability impact if attackers disrupt feed consumption. Organizations with sensitive or critical link archives are at elevated risk.

The primary mitigation is to upgrade LinkAce to version 2.4.3 or later, where the vulnerability is fixed by proper output sanitization and prevention of CDATA section breakouts. Until upgrade is possible, organizations should restrict access to the Atom feed endpoint to trusted users only and monitor for suspicious activity from authenticated users who can modify list descriptions. Implementing web application firewalls (WAFs) with custom rules to detect and block payloads containing CDATA break sequences or suspicious SVG elements in feed requests can provide interim protection. Additionally, security teams should audit user privileges to limit who can create or edit list descriptions, reducing the attack surface. Educating users to avoid visiting untrusted or unknown feed URLs and employing browser security features such as Content Security Policy (CSP) can help mitigate impact. Regular security assessments and monitoring for anomalous feed content are recommended.