LinkAce allows internal network links to be created

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.7

LinkAce allows internal network links to be created

CVE-2026-30953

Summary

A security risk exists in LinkAce when creating new links. This is because the software doesn't check if the link points to an internal network address. This could allow users to create links to private or restricted areas of their own network. To fix this issue, the developers need to update the validation rules to include NoPrivateIpRule in the primary link creation path.

Original title

Original description

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.

nvd CVSS3.1 7.7

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7

Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026