{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35516", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:14:45.891Z", "dateUpdated": "2026-04-09T14:36:27.061Z"}, "containers": {"cna": {"title": "LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm"}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"version": "< 2.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:14:45.891Z"}, "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "source": {"advisory": "GHSA-4jhm-r4f5-p7xm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:36:23.038676Z", "id": "CVE-2026-35516", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:36:27.061Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35516", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:36:23.038676Z"}}}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:36:13.913Z"}}], "cna": {"title": "LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection", "source": {"advisory": "GHSA-4jhm-r4f5-p7xm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"status": "affected", "version": "< 2.5.4"}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:14:45.891Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35516", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:36:27.061Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:14:45.891Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "id": "CVE-2026-35516", "lastModified": "2026-04-09T15:16:12.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.937", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LinkAce", "source": "cna", "vendor": "Kovah"}, "product": "linkace", "vendor": "kovah"}], "analysis": {"en": {"generated_at": "2026-04-07T22:49:12.534294+00:00", "value": {"mitigation_remediation": ["Upgrade LinkAce to version 2.5.4 or later.", "If an upgrade is not immediately possible, disable or modify the links:check cron job to reject private IP ranges.", "Configure network firewalls to block outbound connections from the application to private IP addresses.", "Enforce the use of IMDSv2 if running on AWS to mitigate unauthorized metadata access."], "summary": {"action": "Patch", "impact": "Internal Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of Kovah's LinkAce application up to, but not including, version 2.5.4. Versions prior to 2.5.4 lack the IP\u2011address validation in both the LinkRepository::update method and the CheckLinksCommand::checkLink scheduler task.", "description_and_impact": "LinkAce, a self-hosted link archive, has a Server\u2011Side Request Forgery flaw because certain code paths avoid checking for private IP addresses. The vulnerability allows an authenticated user to craft or update a link URL so that a background cron job fetches data from an internal service or cloud metadata endpoint. As a result, sensitive internal information\u2014such as cloud credentials, internal APIs, and network topology\u2014can be exposed. The weakness is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 5.0 reflects moderate severity. Exploitation requires legitimate authentication to the application and the ability to create or update a link, and it is performed server\u2011side by a cron job. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. Nonetheless, the potential to expose cloud metadata or internal services warrants prompt attention."}}}}, "created": "2026-04-08T19:37:09.694679+00:00", "updated": "2026-04-08T19:48:25.402913+00:00", "vendors": ["kovah", "kovah$PRODUCT$linkace"]}