{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30954", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.981Z", "datePublished": "2026-03-10T20:40:31.011Z", "dateUpdated": "2026-03-11T14:30:40.687Z"}, "containers": {"cna": {"title": "LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxh"}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"version": "<= 2.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:40:31.011Z"}, "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs."}], "source": {"advisory": "GHSA-vc99-cgj6-wwxh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:29:50.216265Z", "id": "CVE-2026-30954", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:30:40.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30954", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:29:50.216265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:29:54.866Z"}}], "cna": {"title": "LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()", "source": {"advisory": "GHSA-vc99-cgj6-wwxh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"status": "affected", "version": "<= 2.1.0"}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxh", "name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:40:31.011Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30954", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:30:40.687Z", "dateReserved": "2026-03-07T17:34:39.981Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:40:31.011Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCEC05A7-54E7-4D18-A6C0-6F7C0EF30EC0", "versionEndIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs."}, {"lang": "es", "value": "LinkAce es un archivo autoalojado para recopilar enlaces de sitios web. En 2.1.0 y versiones anteriores, el m\u00e9todo processTaxonomy() en LinkRepository.PHP permite a usuarios autenticados adjuntar etiquetas y listas privadas de otros usuarios a sus propios enlaces pasando IDs enteros."}], "id": "CVE-2026-30954", "lastModified": "2026-03-17T16:13:55.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:48.513", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LinkAce", "source": "cna", "vendor": "Kovah"}, "product": "linkace", "vendor": "kovah"}], "analysis": {"en": {"generated_at": "2026-03-17T17:28:34.532815+00:00", "value": {"mitigation_remediation": ["Upgrade LinkAce to a version that removes the vulnerable processTaxonomy() implementation. If an immediate upgrade is not possible, consider disabling or restricting the endpoint that allows tag/list attachment until a patch is released.", "Monitor user activity logs for abnormal attachment patterns that could indicate exploitation of the IDOR.", "Verify that all exposed APIs enforce proper ownership checks before allowing tags or lists to be associated with a user\u2019s link."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized access to private tags and lists (IDOR)"}, "threat_synthesis": {"affected_systems": "The affected product is Kovah\u2019s LinkAce. All releases prior to and including version 2.1.0 are impacted, as they include the vulnerable processTaxonomy() implementation. The exact patch version is not specified in the advisory, but any release subsequent to 2.1.0 that removes or restricts the ID reference should resolve the issue.", "description_and_impact": "LinkAce 2.1.0 and earlier contain a flaw in the processTaxonomy() method of LinkRepository.php that allows any authenticated user to attach private tags and lists belonging to other users to their own links by supplying integer IDs. This grants the malicious user the ability to associate or expose another user\u2019s private organizational data, effectively bypassing intended per-user isolation. The weakness is a classic Insecure Direct Object Reference (CWE\u2011639) and results in unauthorized data manipulation rather than direct system compromise.", "risk_and_exploitability": "The CVSS v3.1 score for this issue is 5.3, indicating a moderate severity. EPSS is reported at less than\u202f1\u202f%, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated session and access to the vulnerable endpoint; therefore, only legitimate users can trigger the IDOR. Attackers would send requests with manipulated tag or list identifiers to attach the target\u2019s private items to their own records. Because the flaw lies in the business\u2011logic layer, the attack is feasible for any user with normal privileges on the affected instance."}}}}, "created": "2026-03-11T11:42:46.444210+00:00", "updated": "2026-03-20T14:33:56.720617+00:00", "vendors": ["kovah", "kovah$PRODUCT$linkace"]}