Skip to main content

Linkace CVE-2026-33953

| EUVDEUVD-2026-16868 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-27 GitHub_M
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:11 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.3
EUVD ID Assigned
Mar 27, 2026 - 22:00 euvd
EUVD-2026-16868
Analysis Generated
Mar 27, 2026 - 22:00 vuln.today
CVE Published
Mar 27, 2026 - 21:22 nvd
HIGH 8.5

DescriptionGitHub Advisory

LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when those resources are referenced through an internal hostname. This allows an authenticated user to trigger server-side requests to internal services reachable by the LinkAce server but not directly reachable by an external user. Version 2.5.3 patches the issue.

AnalysisAI

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass IP-based blocklist protections and access internal-only resources through hostname resolution. Attackers with low-privilege accounts can leverage this to probe internal network services, exfiltrate sensitive data from internal APIs, or pivot to otherwise unreachable infrastructure. CVSS 8.5 (High) with cross-scope impact reflects the potential for lateral movement beyond the application boundary. No active exploitation confirmed (CISA KEV: not listed), but the vulnerability class (CWE-918 SSRF) is commonly exploited when accessible to authenticated users. Patch available in version 2.5.3.

Technical ContextAI

LinkAce is a self-hosted PHP-based web application for archiving and organizing website links, identified by CPE cpe:2.3:a:kovah:linkace. The vulnerability stems from incomplete Server-Side Request Forgery (SSRF) protections classified as CWE-918 (Server-Side Request Forgery). While the application implements IP literal blocklisting to prevent direct requests to private IP ranges (RFC 1918 addresses like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), it fails to validate hostnames that resolve to internal addresses. When an authenticated user submits a URL with an internal hostname (e.g., internal-api.local, metadata.internal), the server performs DNS resolution and issues HTTP requests without re-validating the resolved IP against the blocklist. This Time-of-Check-Time-of-Use (TOCTOU) weakness allows bypass of perimeter controls through DNS rebinding or internal DNS entries, a common SSRF evasion technique targeting applications that only filter at the URL parsing stage rather than at connection establishment.

RemediationAI

Vendor-released patch: Version 2.5.3 resolves the SSRF vulnerability through enhanced hostname validation and IP resolution checks. Administrators should immediately upgrade all LinkAce installations to version 2.5.3 or later by following the update procedures documented in the project repository. The patch implements pre-connection IP validation to ensure resolved hostnames do not point to private IP ranges, closing the hostname-based bypass vector. For environments unable to immediately upgrade, implement network-level controls as temporary mitigations: configure egress filtering on the LinkAce server to block outbound connections to RFC 1918 private address spaces, localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata service endpoints (169.254.169.254 for AWS/Azure). Additionally, restrict authenticated user account creation and audit existing user accounts for suspicious link submissions targeting internal hostnames. Review application logs for URL patterns containing internal domain suffixes or non-routable TLDs. Full remediation details and upgrade instructions are available in the GitHub Security Advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-wp4g-qw9j-wfjg.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2026-33953 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy