CVE-2025-49588

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49588
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49588.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49588
Aliases
  • GHSA-rfc2-x8hr-536q
Published
2025-07-02T14:05:29.039Z
Modified
2026-04-10T05:30:05.941316Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Linkwarden Local File Inclusion Vulnerability
Details

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other user's links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-73"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49588.json"
}
References

Affected packages

Git / github.com/linkwarden/linkwarden

Affected ranges

Type
GIT
Repo
https://github.com/linkwarden/linkwarden
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3762d971e9ec1d8e2842d6cdb5c05f695ccb6c75
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 2.10.2"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v2.*
v2.0.0
v2.1.0
v2.10.0
v2.10.1
v2.10.2
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.2
v2.9.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49588.json"