CVE-2026-35516 - Vulnerability Details

- LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection

Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.

Published: 2026-04-07

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

LinkAce versions before 2.5.4 contain a Server Side Request Forgery vulnerability that allows an authenticated user to trigger requests from the server to arbitrary IP addresses. By creating a link with a public URL and then updating it to point to a private IP, the internal link‑checking command performs the request server‑side without filtering, revealing responses from internal services such as cloud metadata endpoints or internal APIs. The flaw is a classic input validation weakness (CWE‑918) and can expose sensitive data, credentials, and network topology.

Affected Systems

Kovah LinkAce self‑hosted link management application. All releases prior to 2.5.4 are vulnerable; the fix retained in 2.5.4 and later validates the target URL and blocks private IP ranges.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity. The EPSS score of less than 1% suggests low to moderate likelihood of exploitation, but the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user; once the attacker can create and update links, they can read internal responses, potentially obtaining credentials or sensitive network information. Patching to 2.5.4 removes the ability to target private addresses, eliminating the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kovah

LinkAce

affected

Version	Status	Constraints
`< 2.5.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kovah

Linkace

100%

Version	Status	Scheme	Platform
`[0,2.5.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update LinkAce to version 2.5.4 or later
Disable or restrict the links:check cron job until the patch is applied
Apply firewall rules to block the server’s outbound traffic to private IP ranges or internal network endpoints

Generated by OpenCVE AI on April 14, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm

History

Tue, 14 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linkace Linkace linkace
CPEs		cpe:2.3:a:linkace:linkace::::::::
Vendors & Products		Linkace Linkace linkace

Thu, 09 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kovah Kovah linkace
Vendors & Products		Kovah Kovah linkace

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.
Title		LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection
Weaknesses		CWE-918
References		https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}`

Subscriptions

Kovah Linkace

Linkace Linkace

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T15:14:45.891Z

Updated: 2026-04-09T14:36:27.061Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35516

Vulnrichment

Updated: 2026-04-09T14:36:13.913Z

NVD

Status : Analyzed

Published: 2026-04-07T16:16:27.937

Modified: 2026-04-14T20:27:53.187

Link: CVE-2026-35516

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object