CVE-2026-45344EPSS p36.1%

CVE-2026-45344CVE-2026-45344

Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.

Scoring

CVSS 8.1 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.1% · 2026-06-19T12:03:05Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33953
CVE
CVE-2026-40905
CVE
CVE-2026-48842
CVE
CVE-2025-24337
CVE
CVE-2025-52159
CVE
CVE-2026-42288
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.