SSRF in Kovah Linkace

CVE-2025-62719

LinkAce is a self-hosted archive to collect website links. In versions 2.3.0 and below, the htmlKeywordsFromUrl function in the FetchController class accepts user-provided URLs and makes HTTP requests to them without validating that the de…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (9.4th percentile) — read the EPSS interpretation.

Affected products

Kovah Linkace — versions < 2.4.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA-473x-rmm6-mc8c (x_refsource_CONFIRM)
https://github.com/Kovah/LinkAce/commit/4e0b822163ccefc2640c283ae969a39e673a0619 (x_refsource_MISC)
http://github.com/Kovah/LinkAce/releases/tag/v2.4.0 (x_refsource_MISC)