CVE-2026-33954

Name of the Vulnerable Software and Affected Versions LinkAce versions prior to 2.5.3

Description LinkAce is a self-hosted archive for website links. Versions prior to 2.5.3 allow disclosure of a private note attached to a non-private link to another authenticated user through the web interface. The API correctly enforces note visibility, but the web link detail page does not apply equivalent filtering. An authenticated user permitted to view another user’s internal or public link can read that user’s private notes attached to the link.

Recommendations Update to version 2.5.3 or later.