Skip to main content

Linkace EUVDEUVD-2026-19682

| CVE-2026-35516 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-07 GitHub_M
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.4
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2026-19682
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:14 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.

AnalysisAI

Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from internal services by updating links to private IP addresses, exposing cloud credentials and internal service metadata. The links:check cron job executes requests without IP filtering, enabling attackers to probe AWS IMDSv1, cloud metadata endpoints, and internal APIs. The vulnerability requires authentication but operates over the network with low complexity, affecting all installations running versions before 2.5.4. No public exploit code or confirmed active exploitation has been identified at time of analysis.

Technical ContextAI

LinkAce's LinkRepository::update and CheckLinksCommand::checkLink functions perform server-side HTTP requests to validate and check links without validating target IP addresses against private IP ranges (RFC 1918, RFC 5735, link-local, loopback). The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a classic web application flaw where user-controlled input is used in server-initiated requests without proper allowlist or blocklist validation. An authenticated user can initially create a link with a public URL (passing any validation), then update it to target private IPs such as 169.254.169.254 (AWS IMDSv1), 127.0.0.1, or internal service IPs. When the links:check cron job executes periodically, it fetches and processes responses from these internal endpoints server-side, allowing the attacker to read the response content through the application's response handling. This is particularly dangerous in cloud-hosted deployments where metadata services expose temporary credentials and configuration data.

RemediationAI

Upgrade LinkAce to version 2.5.4 or later immediately, as the vendor has released a patched version that implements IP address validation in the LinkRepository::update and CheckLinksCommand::checkLink functions. The fix prevents requests to private IP ranges (RFC 1918, loopback, link-local, and other reserved ranges). After upgrading, verify that the links:check cron job is functioning correctly to ensure the fix is active in your environment. For organizations unable to upgrade immediately, disable or restrict the links:check cron job to prevent server-side requests, and limit link creation/update permissions to trusted users only as a temporary mitigation. Refer to the GitHub security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm for comprehensive patch details and additional recommendations.

CVE-2025-53838 HIGH POC
8.4 Sep 08

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel

CVE-2024-56508 HIGH POC
7.6 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner

CVE-2025-59424 HIGH POC
7.3 Sep 18

LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel

CVE-2026-27458 MEDIUM POC
5.4 Feb 21

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit

CVE-2024-56507 MEDIUM POC
5.4 Dec 27

LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln

CVE-2026-45343 HIGH
8.5 May 28

Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist

CVE-2026-33953 HIGH
8.5 Mar 27

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass

CVE-2026-45344 HIGH
8.1 May 28

Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker

CVE-2026-30953 HIGH
7.7 Mar 10

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad

CVE-2026-45342 HIGH
7.1 May 28

Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes

CVE-2026-33954 MEDIUM
6.5 Mar 27

LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li

CVE-2026-30954 MEDIUM
4.3 Mar 10

LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie

Share

EUVD-2026-19682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy