CVE 8.7 HIGH

Link Preview JS: vunerable to IPv6 and internal loopback attacks_CVE-2026-43897

May 11, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.

AI Analysis

The library is vulnerable to IPv6 loopback attacks and DNS attacks, potentially causing internal data leaks.

Basic Information

ID CVE-2026-43897

Source GitHub_M

Published May 11, 2026 at 21:14

Affected Product

Vendor OP-Engineering

Product link-preview-js

Version < 4.0.1

Affected Versions OP-Engineering link-preview-js < 4.0.1

CWE Classification

CWE-918

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor OP-Engineering

Product link-preview-js

Version < 4.0.1

References

{
    "lastseen": "",
    "description": "Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.",
    "published": "2026-05-11T21:14:40.495Z",
    "modified": "2026-05-11T21:14:40.495Z",
    "type": "cve",
    "title": "Link Preview JS: vunerable to IPv6 and internal loopback attacks",
    "source": "GitHub_M",
    "references": "https://github.com/OP-Engineering/link-preview-js/security/advisories/GHSA-4gp8-rjrq-ch6q\nhttps://github.com/OP-Engineering/link-preview-js/pull/179\nhttps://github.com/OP-Engineering/link-preview-js/commit/4396d48909fab37553c0e93e26447fe218363ede\nhttps://github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1",
    "id": "CVE-2026-43897",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "OP-Engineering link-preview-js < 4.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "link-preview-js",
    "version": "< 4.0.1",
    "vendor": "OP-Engineering",
    "ai_description": "The library is vulnerable to IPv6 loopback attacks and DNS attacks, potentially causing internal data leaks.",
    "ai_severity": "High",
    "ai_vendor": "OP-Engineering",
    "ai_product": "link-preview-js",
    "ai_version": "< 4.0.1",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply