This vulnerability arises in versions of LinkAce prior to 2.5.4, where the application accepts the X‑Forwarded‑Host header as trusted when constructing password‑reset URLs. By forging this header in a password‑reset request, an attacker can cause the system to generate an email containing a reset link that points to an attacker‑controlled domain. The victim subsequently receives the email, clicks the link, and the embedded reset token is sent to the attacker’s server. The attacker can then use that token to reset the victim’s password, thereby taking full control of the account. The flaw is a classic open‑redirect style injection, classified under CWE‑601.

Kovah’s LinkAce self‑hosted link‑storage application, any installation running a version older than 2.5.4, regardless of operating system, web server, or database. The vulnerability manifests when the X‑Forwarded‑Host header is allowed to pass from the client to the application during a reset request.

The CVSS score of 8.1 indicates high severity. No publicly documented privileged‑access requirement is mentioned; this lack suggests the exploit can be achieved with user‑level or even unauthenticated access, a conclusion inferred from the advisory text. The EPSS score is not published, so the exact exploitation probability cannot be quantified. Attackers can set the header directly on the reset request or through a compromised internal proxy, enabling them to force the application to send a reset link to a malicious domain. The vulnerability is not listed in CISA’s KEV catalog, implying no known active exploitation; however, the straightforward nature of the attack could readily support large‑scale phishing campaigns.