CVE-2025-62720 HIGH

CVE-2025-62720: LinkAce: Data Exfiltration via Export Functions Allow Access to All Users' Private Links

Vendor Kovah

Product LinkAce

Weakness CWE-200 · Info exposure

Published November 4, 2025

Last update November 5, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to their owners. The HTML and CSV export functions in the ExportController class retrieve all links without applying any ownership or visibility filtering, effectively bypassing all access controls implemented elsewhere in the application. This issue is fixed in version 2.4.0.

Key dates

02Disclosure timeline

November 4, 2025 CVE published

November 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62720

Related vulnerabilities

CVE-2025-62720: LinkAce: Data Exfiltration via Export Functions Allow Access to All Users' Private Links

01Description

02Disclosure timeline

03References

04Related CVE