CVE-2026-33953
HIGHLinkAce's SSRF protection can be bypassed via internal hostname resolution in LinkAce
Title source: cnaDescription
LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when those resources are referenced through an internal hostname. This allows an authenticated user to trigger server-side requests to internal services reachable by the LinkAce server but not directly reachable by an external user. Version 2.5.3 patches the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Kovah/LinkAce/security/advisories/GHSA-wp4g-qw9j-wfjg
Scores
CVSS v3
8.5
EPSS
0.0027
EPSS Percentile
18.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
Kovah/LinkAce
< 2.5.3
linkace/linkace
< 2.5.3
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026