{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35516", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:14:45.891Z", "dateUpdated": "2026-04-09T14:36:27.061Z"}, "containers": {"cna": {"title": "LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm"}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"version": "< 2.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:14:45.891Z"}, "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "source": {"advisory": "GHSA-4jhm-r4f5-p7xm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:36:23.038676Z", "id": "CVE-2026-35516", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:36:27.061Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35516", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:36:23.038676Z"}}}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:36:13.913Z"}}], "cna": {"title": "LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection", "source": {"advisory": "GHSA-4jhm-r4f5-p7xm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"status": "affected", "version": "< 2.5.4"}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:14:45.891Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35516", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:36:27.061Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:14:45.891Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B6A4089-79B4-45A5-AF07-95336D858B6E", "versionEndExcluding": "2.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "id": "CVE-2026-35516", "lastModified": "2026-04-14T20:27:53.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.937", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LinkAce", "source": "cna", "vendor": "Kovah"}, "product": "linkace", "vendor": "kovah"}], "analysis": {"en": {"generated_at": "2026-04-14T22:37:03.198930+00:00", "value": {"mitigation_remediation": ["Update LinkAce to version 2.5.4 or later", "Disable or restrict the links:check cron job until the patch is applied", "Apply firewall rules to block the server\u2019s outbound traffic to private IP ranges or internal network endpoints"], "summary": {"action": "Patch", "impact": "Remote Server Side Request Forgery exposing internal services and credentials"}, "threat_synthesis": {"affected_systems": "Kovah LinkAce self\u2011hosted link management application. All releases prior to 2.5.4 are vulnerable; the fix retained in 2.5.4 and later validates the target URL and blocks private IP ranges.", "description_and_impact": "LinkAce versions before 2.5.4 contain a Server Side Request Forgery vulnerability that allows an authenticated user to trigger requests from the server to arbitrary IP addresses. By creating a link with a public URL and then updating it to point to a private IP, the internal link\u2011checking command performs the request server\u2011side without filtering, revealing responses from internal services such as cloud metadata endpoints or internal APIs. The flaw is a classic input validation weakness (CWE\u2011918) and can expose sensitive data, credentials, and network topology.", "risk_and_exploitability": "The CVSS score of 5.0 indicates moderate severity. The EPSS score of less than 1% suggests low to moderate likelihood of exploitation, but the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated user; once the attacker can create and update links, they can read internal responses, potentially obtaining credentials or sensitive network information. Patching to 2.5.4 removes the ability to target private addresses, eliminating the risk."}}}}, "created": "2026-04-08T19:37:09.694679+00:00", "updated": "2026-04-15T16:30:09.723147+00:00", "vendors": ["kovah", "kovah$PRODUCT$linkace"]}