A security researcher demonstrated that a LinkedIn job‑offer link can execute hidden JavaScript when viewed in the browser.
Roman G. R. published a proof‑of‑concept on June 15 2026 showing that a URL formatted as https://www.linkedin.com/jobs/view/... with an appended ?redirect= parameter can load an attacker‑controlled script. The script runs in the context of the LinkedIn page, allowing read‑only access to profile data and the ability to post comments. The code works on current desktop browsers but does not affect the mobile app.
If exploited, the flaw could let an attacker skim profile details or embed spam without the user noticing. LinkedIn has not confirmed a fix, and the researcher notes that no active exploit has been seen in the wild. The disclosure remains a proof‑of‑concept to highlight a gap in LinkedIn’s URL handling.
For now, users should avoid clicking unsolicited job‑offer links and consider opening them in a sandboxed browser.