LinkAce Server-Side Request Forgery Vulnerability (CVE-2026-33953)
LinkAce versions prior to 2.5.3 are vulnerable to server-side request forgery (SSRF), allowing an authenticated user to trigger server-side requests to internal services by referencing internal hostnames.
LinkAce, a self-hosted archive for collecting website links, is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 2.5.3. This flaw, identified as CVE-2026-33953, stems from the application’s insufficient validation of user-supplied hostnames. Although direct requests to private IP literals are blocked, the application still performs server-side requests to internal resources when referenced through an internal hostname. An authenticated user can exploit this…
Detection coverage 2
LinkAce - Suspicious Internal Hostname Request
highDetects requests to internal hostnames in LinkAce web server logs, indicating potential SSRF attempts.
LinkAce - Suspicious Request to Private IP Address
mediumDetects requests to private IP addresses which LinkAce is supposed to block.
Detection queries are kept inside the platform. Get full rules →