CVE-2026-45343 | Kovah LinkAce up to 2.5.5 SSO/OAuth cross site scripting (GHSA-jx4g-ph82-x9mm)

LinkAce versions up to 2.5.5 contain a stored XSS (CVE-2026-45343) in SSO/OAuth where an attacker-controlled OAuth display name plus creating an API token plants a persistent script in the audit log; when an administrator views /system/audit the payload executes, enabling cookie theft, CSRF token exfiltration, or actions the admin can perform. The advisory reports exploitation is easy in principle but no public exploit is available and recommends upgrading to LinkAce 2.5.6 to remediate.