Server-Side Request Vulnerability in LinkAce by Kovah
CVE-2026-30953

7.7HIGH

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-30953?

LinkAce, a self-hosted bookmark manager, contains a security flaw where user-created links do not properly validate the URL for internal requests. When a link is created, the system incorrectly fetches HTML metadata without implementing necessary safeguards against requests to private IP addresses or network services, including those running within Docker and cloud metadata endpoints. This oversight can lead to unauthorized access to sensitive internal resources, exposing the system to various risks.

Affected Version(s)

LinkAce <= 2.0.0

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 7, 2026

CVE-2026-30953 Data

JSON