Skip to main content

LinkAce CVE-2026-45344

| EUVDEUVD-2026-33054 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-28 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 28, 2026 - 23:02 EUVD
Analysis Generated
May 28, 2026 - 21:51 vuln.today

DescriptionGitHub Advisory

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.

AnalysisAI

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attackers to inject arbitrary mail configuration variables into the application's .env file via the initial setup database configuration flow, leading to command execution when the application subsequently sends mail. The flaw, classified as CWE-74 injection, affects instances that have not yet completed the setup wizard and carries a CVSS 8.1 (High). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

LinkAce is a PHP-based self-hosted bookmark/link archiving application by Kovah, identified by CPE cpe:2.3:a:kovah:linkace:*:*:*:*:*:*:*:*. Like many Laravel-style apps, it stores runtime configuration (including DB and mail settings) in a .env file that is parsed at boot. The vulnerability is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) - user-supplied values from the setup wizard's database-credential form are written verbatim into .env without escaping newline or delimiter characters, allowing an attacker to break out of the intended variable assignment and append additional configuration directives. By controlling MAIL_* variables (for example pointing MAIL_DRIVER to sendmail or injecting a malicious MAIL_PATH/transport argument), the attacker turns a later mail-send operation into a command-execution sink, a known Laravel/Symfony Mailer abuse pattern.

RemediationAI

Vendor-released patch: upgrade LinkAce to 2.5.6 or later, as specified in the GitHub Security Advisory GHSA-37m5-936h-w455 (https://github.com/Kovah/LinkAce/security/advisories/GHSA-37m5-936h-w455). For operators who cannot immediately upgrade, the most effective compensating control is to ensure setup is completed in a trusted environment before the instance is exposed to untrusted networks - provision LinkAce behind an authenticated reverse proxy or on a private network until the .env is finalized, then expose it. As a network-level mitigation, restrict access to the setup endpoints (the /setup routes used during initial database configuration) via reverse-proxy ACLs or firewall rules so only administrative IPs can reach them; the trade-off is that legitimate first-time setup must be performed from those allow-listed sources. Avoid re-triggering the setup flow on an already-deployed instance, and after upgrading, audit the .env file for unexpected MAIL_* or other variables that may indicate prior tampering.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-35516 MEDIUM
5.0 Apr 07

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

CVE-2026-45344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy