Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-44313: Linkwarden: Unvalidated HTTP Requests Can Expose Internal Services

CVE-2026-44313

Summary

Linkwarden, a self-hosted bookmark manager, had a security flaw that allowed authenticated users to make unauthorized requests to internal services. This could have allowed them to access sensitive information or disrupt internal systems. Update to version 2.13.0 or later to fix this issue.

Original title

Original description

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for "http://" or "https://" prefixes. This issue has been patched in version 2.13.0.

nvd CVSS3.1 9.1

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://github.com/linkwarden/linkwarden/security/advisories/GHSA-5qpc-x7rv-hvmp

Published: 9 May 2026 · Updated: 23 May 2026 · First seen: 9 May 2026