Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web interface. The API appears to correctly enforce note visibility, but the web link detail page renders notes without applying equivalent visibility filtering. As a result, an authenticated user who is allowed to view another user's internal or public link can read that user's private notes attached to the link. Version 2.5.3 patches the issue.
AnalysisAI
LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared links, despite the API correctly enforcing note visibility restrictions. An authenticated user can read another user's private notes attached to internal or public links by accessing the web link detail page, resulting in unauthorized information disclosure. Version 2.5.3 patches this authorization bypass.
Technical ContextAI
LinkAce is a self-hosted web application for archiving and organizing website links. The vulnerability stems from inconsistent authorization logic between the REST API and the web interface view layer (CWE-285: Improper Authorization). While the API endpoint correctly filters notes based on visibility permissions, the web template rendering the link detail page fails to apply the same visibility checks before outputting note content to the browser. This is a classic case of authorization enforcement bypassed through an alternate interface-the API enforces the control correctly, but the web UI rendering layer does not validate that the authenticated user has permission to view the specific note being displayed. The affected product range covers LinkAce prior to version 2.5.3 as specified in CPE cpe:2.3:a:kovah:linkace:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: Upgrade LinkAce to version 2.5.3 or later. This version includes fixes to enforce note visibility filtering in the web interface, aligning the UI behavior with API authorization controls. Users should update their self-hosted installations immediately by obtaining the latest release from the LinkAce GitHub repository (https://github.com/Kovah/LinkAce) or consulting the security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-88h3-cq25-vw8q for step-by-step upgrade instructions. No workarounds are available for versions prior to 2.5.3; patching is the only mitigation.
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel
Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist
Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass
Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad
Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes
Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i
LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16870