{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30953", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.980Z", "datePublished": "2026-03-10T20:38:48.381Z", "dateUpdated": "2026-03-11T14:37:18.597Z"}, "containers": {"cna": {"title": "LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7"}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"version": "<= 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:38:48.381Z"}, "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path."}], "source": {"advisory": "GHSA-f2mp-q78r-7jx7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:37:06.482594Z", "id": "CVE-2026-30953", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:37:18.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest", "source": {"advisory": "GHSA-f2mp-q78r-7jx7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"status": "affected", "version": "<= 2.0.0"}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7", "name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:38:48.381Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30953", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:37:06.482594Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T14:37:11.629Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-30953", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:38:48.381Z", "dateReserved": "2026-03-07T17:34:39.980Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:38:48.381Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*", "matchCriteriaId": "856DBDB1-EF9C-4AAE-BB67-D606C7050A86", "versionEndIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path."}, {"lang": "es", "value": "LinkAce es un archivo autoalojado para recopilar enlaces de sitios web. Cuando un usuario crea un enlace a trav\u00e9s de POST /links, el servidor obtiene metadatos HTML de la URL proporcionada (LinkRepository::create() llama a HtmlMeta::getFromUrl()). Las reglas de validaci\u00f3n de LinkStoreRequest no incluyen NoPrivateIpRule, lo que permite solicitudes del lado del servidor a direcciones de red internas, nombres de host de servicios Docker y puntos finales de metadatos en la nube. El proyecto ya tiene una clase NoPrivateIpRule (app/Rules/NoPrivateIpRule.PHP) pero solo se aplica en FetchController.PHP (l\u00ednea 99), no en la ruta principal de creaci\u00f3n de enlaces."}], "id": "CVE-2026-30953", "lastModified": "2026-03-17T16:13:30.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T21:16:48.347", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LinkAce", "source": "cna", "vendor": "Kovah"}, "product": "linkace", "vendor": "kovah"}], "analysis": {"en": {"generated_at": "2026-03-17T17:28:48.699048+00:00", "value": {"mitigation_remediation": ["Apply the latest Patch from Kovah that enforces NoPrivateIpRule in LinkStoreRequest. If no patch is available, update the Request class to include NoPrivateIpRule before metadata fetch. Block or filter internal network addresses in your reverse proxy or firewall to prevent outbound connections to private IP ranges. Monitor LinkAce logs for unexpected link creation attempts and validate fetched URLs against a whitelist of allowed domains. Refer to the official advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7 for further guidance."], "summary": {"action": "Apply Patch", "impact": "Server-side Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is Kovah's LinkAce, a self\u2011hosted link aggregation platform. No version identifier is supplied; as the issue is present in the default link creation path, all installed instances that have not upgraded to a version where the NoPrivateIpRule is applied to LinkStoreRequest are potentially vulnerable.", "description_and_impact": "A Server-Steal request-forgery flaw in the LinkAce application allows a user who submits a new link via POST /links to trigger the server to fetch HTML metadata from an arbitrary URL. The LinkStoreRequest validation rules omit the NoPrivateIpRule, so the server may request internal network addresses, Docker hostnames, or cloud metadata services. This flaw is identified as CWE-918, giving an attacker the ability to read internal network resources, exfiltrate sensitive data, or potentially pivot to further attacks. The CVSS base score of 7.7 indicates high severity.", "risk_and_exploitability": "The vulnerability has a low EPSS probability (<1%) and is not listed in the CISA KEV catalog, but the high CVSS score signals significant potential impact. Exploitation is likely straightforward: a malicious or compromised user can issue a crafted POST /links request embedding an attacker\u2011controlled URL that resolves to a private IP or internal service. No authentication requirement is noted in the description, implying that any user who can access the link creation endpoint could exploit it. Attack success depends on the target environment having reachable internal services; if the target network is already isolated, the practical impact may be reduced."}}}}, "created": "2026-03-11T11:42:47.733546+00:00", "updated": "2026-03-20T14:33:57.591697+00:00", "vendors": ["kovah", "kovah$PRODUCT$linkace"]}