CVE-2026-35516
LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
7th
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.
| CWE | CWE-918 |
| Vendor | kovah |
| Product | linkace |
| Published | Apr 7, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for kovah linkace
Be the first to know when new medium vulnerabilities affecting kovah linkace are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
Kovah / LinkAce
< 2.5.4