CVE-2026-45344
Deferred Deferred - Pending Action
Remote Code Execution in LinkAce via Mail Configuration Injection

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45344
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linkace linkace to 2.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LinkAce versions prior to 2.5.6 during the setup database configuration flow on uninitialized instances. The setup process accepts database credential fields controlled by an attacker and writes them into the .env configuration file without proper escaping. If a remote attacker can access the setup endpoints and supply a database they control, they can inject mail configuration variables. This injection can lead to command execution when the application later sends mail.

Impact Analysis

The vulnerability allows a remote attacker to execute arbitrary commands on the server running LinkAce by injecting malicious mail configuration variables during setup. This can lead to full compromise of the application, including unauthorized access, data theft, or disruption of service.

Mitigation Strategies

The vulnerability is fixed in LinkAce version 2.5.6. Immediate mitigation involves upgrading any affected LinkAce instances to version 2.5.6 or later.

Additionally, restrict access to the setup endpoints on uninitialized LinkAce instances to prevent remote attackers from supplying malicious database credentials.

Compliance Impact

This vulnerability allows a remote attacker to achieve command execution by injecting mail configuration variables through the setup database configuration flow. Such unauthorized command execution and potential data manipulation or exposure could lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA.

Specifically, the compromise of database credentials and mail configuration could result in unauthorized access to sensitive personal or health information, undermining confidentiality, integrity, and availability controls required by these regulations.

Therefore, organizations using vulnerable versions of LinkAce prior to 2.5.6 may face compliance risks if this vulnerability is exploited.

Detection Guidance

Detection of this vulnerability involves identifying uninitialized LinkAce instances that accept attacker-controlled database credentials during setup and checking for malicious entries in the .env file.

One approach is to verify if the LinkAce instance version is 2.5.5 or earlier and if the setup endpoints are accessible without authentication.

You can check the .env file for suspicious or unexpected environment variables, especially those related to mail configuration that may have been injected.

  • Check the LinkAce version: `grep 'version' /path/to/linkace/version` or check the application metadata.
  • Verify if the .env file contains suspicious mail configuration variables or newline injections: `cat /path/to/linkace/.env | grep -E 'MAIL_|\n'`
  • Scan network traffic for requests to the setup endpoints that include database credential fields, which could indicate exploitation attempts.
  • Use web server logs to identify POST requests to setup endpoints from suspicious IPs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart