Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.
Published: 2026-05-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs during the initial setup of LinkAce instances that have not yet been configured. The setup flow writes attacker‑controlled database credentials directly into the .env file without proper escaping, allowing a newline injection that can add arbitrary mail‑configuration variables. When the application later performs a mail operation, the injected variables can be used to execute commands through the mail system, giving the attacker remote code execution on the server.

Affected Systems

This flaw affects installations of Kovah LinkAce versions earlier than 2.5.6 that have not completed the initial configuration. Any uninitialized instance that exposes the setup endpoints to the internet or to an attacker‑controlled network segment is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS score is not available, so the exploitation probability is uncertain. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalogue, but the ability to execute code remotely via a publicly reachable initial setup process makes it feasible for attackers. A typical attack would involve sending a crafted set of database credentials to the /setup endpoint, injecting newline characters to add mail variables, and then the application sending an email that contains the injected command, leading to arbitrary code execution.

Generated by OpenCVE AI on May 28, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to LinkAce 2.5.6 or later, where the injection is fixed.
  • Restrict access to the setup endpoints on fresh installations, for example by placing the instance behind a firewall or requiring authentication before configuration is possible.
  • Immediately remove any uninitialized instance from public reach and audit the .env file for unexpected mail‑configuration entries.

Generated by OpenCVE AI on May 28, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovah
Kovah linkace
Vendors & Products Kovah
Kovah linkace

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.
Title LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kovah Linkace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T20:41:45.386Z

Reserved: 2026-05-11T21:40:08.177Z

Link: CVE-2026-45344

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-28T22:17:00.497

Modified: 2026-05-29T02:44:14.130

Link: CVE-2026-45344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:00:15Z

Weaknesses