CVE-2026-35516

MEDIUM

LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection

Title source: cna

Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.

References (1)

[X_Refsource_Confirm] https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm

Scores

CVSS v3 5.0

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

Kovah/LinkAce < 2.5.4

linkace/linkace < 2.5.4

Published Apr 07, 2026

Tracked Since Apr 07, 2026