CVE-2025-62721 HIGH

CVE-2025-62721: LinkAce: Authorization Bypass Allows Unauthorized Access to All Private Links, Lists, and Tags

Vendor Kovah
Product LinkAce
Weakness CWE-200 · Info exposure
Published November 4, 2025
Last update November 5, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists, and tags from all users in the system, regardless of their ownership or visibility settings. This issue is fixed in version 2.4.0.

Key dates

02Disclosure timeline

November 4, 2025 CVE published
November 5, 2025 Record updated