CVE-2026-30953

Name of the Vulnerable Software and Affected Versions LinkAce (affected versions not specified)

Description LinkAce is a self-hosted archive for collecting website links. A flaw exists in the link creation process where the server fetches HTML metadata from a URL provided via a POST request to the /links endpoint. The validation rules for LinkStoreRequest do not include a rule to prevent requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. While a NoPrivateIpRule class exists within the project, it is only applied in FetchController.php and not during the primary link creation process. This could allow an attacker to potentially access internal resources or sensitive information.

Recommendations Apply the NoPrivateIpRule class to the LinkStoreRequest validation rules in the link creation path to prevent requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints.