CVE-2026-30953
Received Received - Intake
Server-Side Request Forgery in LinkAce Link Creation Endpoint

Publication date: 2026-03-10

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30953
EUVD
EUVD-2026-10874
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linkace linkace to 2.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LinkAce, a self-hosted archive for collecting website links. When a user creates a link using the POST /links endpoint, the server fetches HTML metadata from the provided URL. However, the validation rules for creating links do not include a check to block requests to private IP addresses or internal network resources (NoPrivateIpRule). Although the project has a NoPrivateIpRule class, it is only applied in a different part of the application (FetchController.php) and not in the main link creation process. This allows an attacker to make the server perform requests to internal network addresses, Docker service hostnames, or cloud metadata endpoints.

Impact Analysis

This vulnerability can allow an attacker to make the server send requests to internal network resources that are normally inaccessible from outside. This can lead to unauthorized access to sensitive internal services, exposure of cloud metadata endpoints, or interaction with Docker service hostnames. Such actions can result in information disclosure or further exploitation within the internal network.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart