CVE-2026-43897

Published: Mag 12, 2026 Last Modified: Mag 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.

918

Server-Side Request Forgery (SSRF)

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control

Potential Impacts:

Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism

Applicable Platforms

Technologies: AI/ML, Web Based, Web Server

View CWE Details

https://github.com/OP-Engineering/link-preview-js/commit/43…

https://github.com/OP-Engineering/link-preview-js/commit/4396d48909fab37553c0e9…

https://github.com/OP-Engineering/link-preview-js/pull/179

https://github.com/OP-Engineering/link-preview-js/pull/179

https://github.com/OP-Engineering/link-preview-js/releases/…

https://github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1

https://github.com/OP-Engineering/link-preview-js/security/…

https://github.com/OP-Engineering/link-preview-js/security/advisories/GHSA-4gp8…