Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when those resources are referenced through an internal hostname. This allows an authenticated user to trigger server-side requests to internal services reachable by the LinkAce server but not directly reachable by an external user. Version 2.5.3 patches the issue.
AnalysisAI
Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass IP-based blocklist protections and access internal-only resources through hostname resolution. Attackers with low-privilege accounts can leverage this to probe internal network services, exfiltrate sensitive data from internal APIs, or pivot to otherwise unreachable infrastructure. CVSS 8.5 (High) with cross-scope impact reflects the potential for lateral movement beyond the application boundary. No active exploitation confirmed (CISA KEV: not listed), but the vulnerability class (CWE-918 SSRF) is commonly exploited when accessible to authenticated users. Patch available in version 2.5.3.
Technical ContextAI
LinkAce is a self-hosted PHP-based web application for archiving and organizing website links, identified by CPE cpe:2.3:a:kovah:linkace. The vulnerability stems from incomplete Server-Side Request Forgery (SSRF) protections classified as CWE-918 (Server-Side Request Forgery). While the application implements IP literal blocklisting to prevent direct requests to private IP ranges (RFC 1918 addresses like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), it fails to validate hostnames that resolve to internal addresses. When an authenticated user submits a URL with an internal hostname (e.g., internal-api.local, metadata.internal), the server performs DNS resolution and issues HTTP requests without re-validating the resolved IP against the blocklist. This Time-of-Check-Time-of-Use (TOCTOU) weakness allows bypass of perimeter controls through DNS rebinding or internal DNS entries, a common SSRF evasion technique targeting applications that only filter at the URL parsing stage rather than at connection establishment.
RemediationAI
Vendor-released patch: Version 2.5.3 resolves the SSRF vulnerability through enhanced hostname validation and IP resolution checks. Administrators should immediately upgrade all LinkAce installations to version 2.5.3 or later by following the update procedures documented in the project repository. The patch implements pre-connection IP validation to ensure resolved hostnames do not point to private IP ranges, closing the hostname-based bypass vector. For environments unable to immediately upgrade, implement network-level controls as temporary mitigations: configure egress filtering on the LinkAce server to block outbound connections to RFC 1918 private address spaces, localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata service endpoints (169.254.169.254 for AWS/Azure). Additionally, restrict authenticated user account creation and audit existing user accounts for suspicious link submissions targeting internal hostnames. Review application logs for URL patterns containing internal domain suffixes or non-routable TLDs. Full remediation details and upgrade instructions are available in the GitHub Security Advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-wp4g-qw9j-wfjg.
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel
Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist
Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad
Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes
LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li
Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i
LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16868