Server-Side Request Forgery in LinkAce by Kovah
CVE-2026-33953

8.5HIGH

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-33953?

LinkAce, a self-hosted archive for collecting website links, has a vulnerability that allows authenticated users to trigger server-side requests to internal resources. Despite blocking direct requests to private IP literals in versions prior to 2.5.3, the application does not completely mitigate risks when references are made via internal hostnames. This means that sensitive internal services can potentially be accessed through the LinkAce server, exposing critical data to authenticated users who should not have direct access. Version 2.5.3 addresses this issue with important security patches.

Affected Version(s)

LinkAce < 2.5.3

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33953 Data

JSON