CVE-2026-40905HIGH 8.1EPSS p20.3%

CVE-2026-40905CVE-2026-40905

Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.29% probability of exploitation · percentile 20.3% · 2026-06-19T12:03:05Z
Published2026-04-21
Last modified2026-04-22

Underlying weaknesses· 1

CWE-601

References

  1. https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv

1

TypeTargetConfidenceTier
WeaknessURL Redirection to Untrusted Site ('Open Redirect')cwe-6010%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33953
CVE
CVE-2026-45344
CVE
CVE-2026-50635
CVE
CVE-2025-69240
CVE
CVE-2025-48936
CVE
CVE-2026-42606
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.