Password Reset Poisoning Vulnerability in LinkAce by Kovah
CVE-2026-40905

8.1HIGH

Key Information:

Vendor: Kovah
Status: Linkace
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40905?

LinkAce, a self-hosted link archiving application by Kovah, has a vulnerability that allows an attacker to manipulate the X-Forwarded-Host header during password reset requests. This leads to the generation of malicious password reset URLs containing an attacker-controlled domain. When users receive such emails and click the malicious link, they inadvertently send their password reset token to the attacker's server, facilitating unauthorized account access and complete takeover of the victim's account. The issue has been addressed in LinkAce version 2.5.4.

Affected Version(s)

LinkAce < 2.5.4

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40905 Data

JSON