CVE-2026-43897: link-preview-js vulnerable to IPv6 and internal loopback attacks
The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks.
References
- github.com/OP-Engineering/link-preview-js
- github.com/OP-Engineering/link-preview-js/commit/4396d48909fab37553c0e93e26447fe218363ede
- github.com/OP-Engineering/link-preview-js/pull/179
- github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1
- github.com/OP-Engineering/link-preview-js/security/advisories/GHSA-4gp8-rjrq-ch6q
- github.com/advisories/GHSA-4gp8-rjrq-ch6q
- nvd.nist.gov/vuln/detail/CVE-2026-43897
Code Behaviors & Features
Detect and mitigate CVE-2026-43897 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →