CVE-2025-62720

High CVSS: 7.1

LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to their owners. The HTML and CSV export functions in the ExportController class retrieve all links without applying any ownership or visibility filtering, effectively bypassing all access controls implemented elsewhere in the application. This issue is fixed in version 2.4.0.

Vendor

Linkace

Product

Linkace

CWE

CWE-200

Yayın Tarihi

2025-11-04 22:16:38

Güncelleme

2025-11-10 19:57:02

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Linkace HIGH Linkace 2025

Referanslar

https://github.com/Kovah/LinkAce/commit/0ba49dba5176db390999de1f90b9d743a4aedc24 https://github.com/Kovah/LinkAce/releases/tag/v2.4.0 https://github.com/Kovah/LinkAce/security/advisories/GHSA-cqxv-6v28-2f2h https://github.com/Kovah/LinkAce/security/advisories/GHSA-cqxv-6v28-2f2h

Benzer Kayıtlar

High

CVE-2026-33953

LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP l…

Medium

CVE-2026-33954

LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-…

High

CVE-2026-30953

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetche…

Medium

CVE-2026-30954

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRep…

High

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting v…

High

CVE-2025-62722

LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, the social media sharing functio…