CVE-2026-27458 is a stored cross-site scripting vulnerability affecting Kovah LinkAce, a self-hosted link archive platform, in versions prior to 2.4.3. The flaw exists in the Atom feed endpoint (/lists/feed), where list descriptions are output using Blade's raw syntax ({!! !!}) inside an XML CDATA block without proper sanitization. An authenticated attacker can inject a payload containing the CDATA closing sequence (]]>) to prematurely terminate the CDATA section, then insert arbitrary XML/SVG elements, including an SVG with an onload event handler that executes JavaScript. Because the Atom feed is parsed natively by browsers' XML parsers, the injected script runs immediately when the feed URL is accessed, without requiring an RSS reader or additional rendering context. This bypasses typical XSS mitigations that rely on HTML context. The vulnerability stems from improper neutralization of script-related HTML tags (CWE-80) and unsafe template rendering practices. The vulnerability has a CVSS 4.0 score of 8.7, indicating high severity, with network attack vector, low attack complexity, no user interaction, and no privileges required beyond authentication. The issue was fixed in LinkAce version 2.4.3 by properly sanitizing the list descriptions or changing the rendering approach to prevent CDATA breaking and script injection.

This vulnerability allows authenticated attackers to execute arbitrary JavaScript in the browsers of users who access the vulnerable Atom feed URL. Potential impacts include session hijacking, theft of authentication tokens or cookies, unauthorized actions performed on behalf of users, and distribution of malware or phishing content. Since the feed is XML parsed natively by browsers, the attack does not require an RSS reader or additional user interaction beyond visiting the feed URL, increasing the risk of automated or stealthy exploitation. Organizations using LinkAce for internal or external link archiving may expose sensitive user sessions or internal network resources if attackers leverage this vulnerability. The attack scope is limited to authenticated users injecting payloads, but the victim set includes any user or system consuming the feed. This can lead to compromise of user accounts, data leakage, and erosion of trust in the platform. The vulnerability's exploitation could also facilitate further attacks within the affected environment, such as privilege escalation or lateral movement, depending on the victim's privileges and environment.

Upgrade Kovah LinkAce to version 2.4.3 or later, where this vulnerability is fixed. If immediate upgrade is not possible, implement strict input validation and sanitization on list descriptions to prevent injection of CDATA-breaking sequences and SVG/XML elements. Restrict access to the Atom feed endpoint to trusted users and networks to reduce exposure. Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate impact of injected scripts. Monitor and audit feed usage logs for suspicious activity or unexpected payloads. Educate users about the risks of visiting untrusted feed URLs. Consider disabling the Atom feed feature if it is not essential. Regularly review and update template rendering practices to avoid raw output of untrusted data, especially inside XML or HTML contexts. Implement web application firewalls (WAF) with rules to detect and block CDATA-breaking payloads or SVG injections targeting this endpoint.