2.5.4
CVE-2026-33953 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in LinkAce, a self-hosted archive manager for website links. This flaw allows authenticated users to initiate server-side requests to internal resources, even when direct IP access is blocked. The vulnerability impacts LinkAce versions prior to 2.5.3, and a patch is available in version 2.5.3.
The SSRF vulnerability in LinkAce allows an authenticated user to bypass the intended IP address blocking mechanism. By crafting requests using internal hostnames, an attacker can trigger LinkAce to make requests to internal services that are not directly accessible from the outside. This could lead to the exposure of sensitive data residing on those internal services, such as database credentials, API keys, or internal application data. The blast radius is limited to the internal network accessible by the LinkAce server, but the potential for data exfiltration and lateral movement within that network is significant.
This vulnerability was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation campaigns targeting LinkAce. No public proof-of-concept exploits have been released. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using LinkAce for link archiving, particularly those with internal services accessible from the LinkAce server, are at risk. Shared hosting environments where LinkAce is installed alongside other applications could also be vulnerable if the LinkAce instance is compromised.
• php / server:
grep -r "internal_hostname" /path/to/linkace/config.php• generic web:
curl -I http://your-linkace-instance/internal-resourceCheck the response headers for internal IP addresses or hostnames.
disclosure
エクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33953 is to upgrade LinkAce to version 2.5.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to restrict outbound requests based on hostname and protocol. Carefully review LinkAce's configuration to ensure that it is not configured to access overly permissive internal resources. Monitor LinkAce logs for unusual outbound requests that might indicate exploitation attempts. After upgrade, confirm the fix by attempting to trigger an internal request using a hostname and verifying that the request is blocked.
LinkAceをバージョン2.5.3以降にアップデートしてください。このバージョンは、認証されたユーザーが内部ホスト名解決を介して内部サービスへのリクエストを実行できるSSRF脆弱性を修正します。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33953 is a HIGH severity SSRF vulnerability affecting LinkAce archive managers prior to version 2.5.3, allowing authenticated users to trigger internal requests.
You are affected if you are using LinkAce version 2.5.3 or earlier. Check your LinkAce version and upgrade immediately if necessary.
Upgrade LinkAce to version 2.5.3 or later. As a temporary workaround, implement WAF rules to restrict outbound requests.
There is currently no evidence of active exploitation, but it's crucial to apply the patch promptly.
Refer to the LinkAce project's official website and security advisories for the latest information and updates: [https://linkace.com/](https://linkace.com/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。