Cyber Resilience

CVE-2026-30953

High

Published: 10 March 2026

Published
10 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0022 12.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30953 is a high-severity SSRF (CWE-918) vulnerability in Linkace Linkace. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30953 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in LinkAce, a self-hosted archive for collecting website links. The flaw occurs during link creation via POST /links, where the server fetches HTML metadata from the user-provided URL through LinkRepository::create() invoking HtmlMeta::getFromUrl(). The LinkStoreRequest validation rules omit the NoPrivateIpRule, enabling server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints, despite the rule's existence in app/Rules/NoPrivateIpRule.php and its use in FetchController.php (line 99).

An authenticated user with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By supplying a crafted URL in a link creation request, the attacker causes the server to fetch from restricted internal endpoints, resulting in high confidentiality impact (C:H) across a changed scope (S:C), with no integrity or availability effects (I:N/A:N), per the CVSS v3.1 base score of 7.7.

The GitHub security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-f2mp-q78r-7jx7 provides further details on the vulnerability, including recommended mitigations and patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side…

more

requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF directly enables server requests to cloud metadata endpoints (T1522/T1552.005) and internal/Docker hostnames (T1018/T1046) by bypassing IP restrictions during link metadata fetch.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33953Same product: Linkace Linkace
CVE-2026-26286Shared CWE-918
CVE-2026-33226Shared CWE-918
CVE-2026-33024Shared CWE-918
CVE-2026-5936Shared CWE-918
CVE-2026-40348Shared CWE-918
CVE-2026-32133Shared CWE-918
CVE-2026-30232Shared CWE-918
CVE-2026-28680Shared CWE-918
CVE-2026-33480Shared CWE-918

Affected Assets

linkace
linkace
≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation mechanisms for user-supplied URLs in the POST /links endpoint to reject private IPs, internal hostnames, and metadata endpoints, preventing SSRF exploitation.

prevent

Enforces information flow control policies that block unauthorized server-side fetches to internal network resources triggered by LinkStoreRequest inputs.

prevent

Monitors and controls communications at key internal boundaries to mitigate server requests to Docker services and cloud metadata endpoints via HtmlMeta::getFromUrl().

References