HIGHCVE-2026-33953CVSS 8.5

CVE-2026-33953: SSRF in LinkAce Archive Manager

Q: What is CVE-2026-33953 — SSRF in LinkAce?

CVE-2026-33953 is a HIGH severity SSRF vulnerability affecting LinkAce archive managers prior to version 2.5.3, allowing authenticated users to trigger internal requests.

Q: Am I affected by CVE-2026-33953 in LinkAce?

You are affected if you are using LinkAce version 2.5.3 or earlier. Check your LinkAce version and upgrade immediately if necessary.

Q: How do I fix CVE-2026-33953 in LinkAce?

Upgrade LinkAce to version 2.5.3 or later. As a temporary workaround, implement WAF rules to restrict outbound requests.

Q: Is CVE-2026-33953 being actively exploited?

There is currently no evidence of active exploitation, but it's crucial to apply the patch promptly.

Q: Where can I find the official LinkAce advisory for CVE-2026-33953?

Refer to the LinkAce project's official website and security advisories for the latest information and updates: [https://linkace.com/](https://linkace.com/)

Platform

php

Component

linkace

Fixed in

2.5.4

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-33953 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in LinkAce, a self-hosted archive manager for website links. This flaw allows authenticated users to initiate server-side requests to internal resources, even when direct IP access is blocked. The vulnerability impacts LinkAce versions prior to 2.5.3, and a patch is available in version 2.5.3.

Impact and Attack Scenarios

The SSRF vulnerability in LinkAce allows an authenticated user to bypass the intended IP address blocking mechanism. By crafting requests using internal hostnames, an attacker can trigger LinkAce to make requests to internal services that are not directly accessible from the outside. This could lead to the exposure of sensitive data residing on those internal services, such as database credentials, API keys, or internal application data. The blast radius is limited to the internal network accessible by the LinkAce server, but the potential for data exfiltration and lateral movement within that network is significant.

Exploitation Context

This vulnerability was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation campaigns targeting LinkAce. No public proof-of-concept exploits have been released. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Affected Software

Componentlinkace

VendorKovah

Affected rangeFixed in

< 2.5.3 – < 2.5.32.5.4

Weakness Classification (CWE)

CWE-918

Timeline

Reserved2026-03-24
Published2026-03-27
Modified2026-03-30
EPSS updated2026-04-04

Mitigation and Workarounds

The primary mitigation for CVE-2026-33953 is to upgrade LinkAce to version 2.5.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to restrict outbound requests based on hostname and protocol. Carefully review LinkAce's configuration to ensure that it is not configured to access overly permissive internal resources. Monitor LinkAce logs for unusual outbound requests that might indicate exploitation attempts. After upgrade, confirm the fix by attempting to trigger an internal request using a hostname and verifying that the request is blocked.

How to fix

Update LinkAce to version 2.5.3 or higher. This version fixes the SSRF vulnerability that allows authenticated users to make requests to internal services through internal hostname resolution.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33953 — SSRF in LinkAce?