CVE-2026-35516

Name of the Vulnerable Software and Affected Versions LinkAce versions prior to 2.5.4

Description LinkAce, a self-hosted archive for website links, has an issue where the LinkRepository::update and CheckLinksCommand::checkLink functions do not validate private IP addresses. An authenticated user can potentially access responses from internal services, such as AWS IMDSv1, cloud metadata, and internal APIs, by creating a link with a public URL and modifying it to use a private IP. The links:check cron job performs server-side requests without IP filtering, which can expose cloud credentials, internal service data, and network topology.

Recommendations Update to version 2.5.4 or later.