CVE-2026-33953
Published: 27 March 2026
Summary
CVE-2026-33953 is a high-severity SSRF (CWE-918) vulnerability in Linkace Linkace. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates user-submitted links and hostnames to prevent SSRF exploitation by blocking requests to internal-only resources.
Enforces information flow control policies prohibiting the LinkAce server from making unauthorized requests to internal services via submitted hostnames.
Monitors and controls outbound communications from the application server to internal networks, blocking SSRF-triggered requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing self-hosted web app directly enables T1190 exploitation by low-priv authenticated users; SSRF to internal hostnames facilitates internal network service discovery (T1046) for confidential data exposure.
NVD Description
LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when those resources are referenced through an internal hostname. This allows an…
more
authenticated user to trigger server-side requests to internal services reachable by the LinkAce server but not directly reachable by an external user. Version 2.5.3 patches the issue.
Deeper analysisAI
CVE-2026-33953 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting LinkAce, a self-hosted archive application for collecting website links. Versions prior to 2.5.3 block direct requests to private IP literals but fail to prevent server-side requests to internal-only resources when referenced via internal hostnames. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to its potential for confidential data exposure across security scopes.
An authenticated user with low privileges can exploit this flaw remotely over the network with low complexity and no user interaction required. By submitting links with internal hostnames, the attacker triggers the LinkAce server to make requests to internal services that are reachable from the server but not exposed externally, potentially allowing unauthorized access to sensitive internal resources and high-impact confidentiality breaches with limited integrity disruption.
The GitHub Security Advisory (GHSA-wp4g-qw9j-wfjg) confirms that LinkAce version 2.5.3 addresses the issue by patching the server-side request handling. Security practitioners should upgrade to version 2.5.3 or later and review access controls for authenticated users to mitigate exploitation risks.
Details
- CWE(s)