CVE-2026-45738: Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

A user with application write access (developer role) can set link.argocd.argoproj.io/* annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab’s URLs section as <a href> elements without URL validation. Using the pipe-separator trick (Display Text | javascript:...), an attacker can inject a javascript: URI while displaying a legitimate-looking label (e.g. GitHub Repo). When a higher-privileged user (admin) clicks the link, arbitrary JavaScript executes in the ArgoCD origin context in the admin’s authenticated session context, enabling API exfiltration and privilege escalation from developer to admin.