PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45344 Kovah CVE debrief

A critical vulnerability in LinkAce, a self-hosted link archiving application, allows remote command execution through the setup database configuration flow. The issue affects versions prior to 2.5.6 and stems from improper input validation during initial instance setup. When an uninitialized LinkAce instance is accessed, the setup endpoints accept attacker-controlled database credential fields and write them directly to the `.env` configuration file without proper escaping. An attacker who can reach these setup endpoints and supply a database they control can inject mail configuration variables. When the application subsequently sends mail, this injection leads to command execution. The vulnerability carries a CVSS 3.1 score of 8.1 (HIGH severity) with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, no privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The weakness is classified as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'). The vulnerability was disclosed on May 28, 2026, and is fixed in LinkAce version 2.5.6. Organizations running LinkAce should ensure they are on version 2.5.6 or later, and instances that were initialized while exposed to untrusted networks should be considered potentially compromised and reinstalled from a trusted source.

Vendor
Kovah
Product
LinkAce
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations and individuals running self-hosted LinkAce instances, particularly those performing fresh installations or maintaining instances that may have been initialized in untrusted network environments. System administrators responsible for LinkAce deployments and security teams monitoring self-hosted applications for injection vulnerabilities.

Technical summary

The vulnerability exists in LinkAce's database setup configuration flow for uninitialized instances. The application accepts database connection parameters (host, database name, username, password) from user input during setup and writes these values to the `.env` configuration file. The input is not properly escaped, allowing an attacker to inject additional configuration directives. Specifically, by controlling the database connection and injecting mail configuration variables (such as `MAIL_HOST`, `MAIL_PORT`, `MAIL_USERNAME`, `MAIL_PASSWORD`, `MAIL_ENCRYPTION`, or `MAIL_FROM_ADDRESS`), an attacker can manipulate how the application sends email. When LinkAce subsequently sends mail using Laravel's mail functionality, the injected configuration can lead to command execution. The attack requires network access to the setup endpoints on an uninitialized instance, making exposed fresh installations particularly vulnerable. The attack complexity is rated HIGH due to the need for the attacker to control or simulate a database server and orchestrate the configuration injection.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade LinkAce to version 2.5.6 or later immediately
  • If LinkAce was initialized while exposed to untrusted networks, consider the instance potentially compromised and reinstall from a trusted source
  • Restrict network access to LinkAce setup endpoints to trusted administrative hosts only
  • Review `.env` files on existing installations for unexpected mail configuration variables
  • Monitor application logs for suspicious mail-related activity or unexpected command execution

Evidence notes

Vulnerability description and technical details sourced from official CVE record and GitHub Security Advisory. CVSS vector and scoring from NVD. Fix version 2.5.6 confirmed in advisory.

Official resources

2026-05-28T22:17:00.497Z