Cyber Resilience

CVE-2026-40905

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40905 is a high-severity Open Redirect (CWE-601) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40905 is a password reset poisoning vulnerability in LinkAce, a self-hosted archive for collecting website links. In versions prior to 2.5.4, the application improperly trusts the user-controlled X-Forwarded-Host HTTP header when generating password reset URLs. This allows attackers to manipulate the header during a password reset request, injecting an attacker-controlled domain into the reset link that is emailed to the victim. The issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-601 (URL Redirection to Untrusted Site).

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by sending a password reset request to a targeted user while controlling the X-Forwarded-Host header, such as through a reverse proxy or misconfigured network path. The victim receives an email containing a password reset link pointing to the attacker's domain; upon clicking it (UI:R), the reset token is transmitted to the attacker's server. The attacker can then capture this token and use it to reset the victim's password, achieving full account takeover with high confidentiality and integrity impacts (C:H/I:H).

The vulnerability is fixed in LinkAce version 2.5.4. The GitHub security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv provides details on the issue and recommends upgrading to the patched version.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset…

more

URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated flaw in a public-facing web application (LinkAce) that is directly exploited by sending crafted password reset requests with a malicious X-Forwarded-Host header, enabling account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0508Shared CWE-601
CVE-2025-50067Shared CWE-601
CVE-2026-40961Shared CWE-601
CVE-2026-0573Shared CWE-601
CVE-2026-7504Shared CWE-601
CVE-2026-29067Shared CWE-601
CVE-2025-23363Shared CWE-601
CVE-2026-3872Shared CWE-601
CVE-2026-6795Shared CWE-601
CVE-2026-28512Shared CWE-601

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-controlled HTTP inputs like the X-Forwarded-Host header to block injection of attacker-controlled domains into password reset URLs.

prevent

Mandates timely flaw remediation, including patching LinkAce to version 2.5.4, which fixes the improper trust of the X-Forwarded-Host header.

prevent

Ensures configuration settings prevent the application from trusting or misusing unverified proxy headers such as X-Forwarded-Host in URL generation.

References