CVE-2026-40905 HIGH

CVE-2026-40905: LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover

Vendor Kovah

Product LinkAce

Weakness CWE-601 · Open redirect

Published April 21, 2026

Last update April 21, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

Key dates

02Disclosure timeline

April 21, 2026 CVE published

April 21, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40905 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

CVE-2026-40905: LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover

01Description

02Disclosure timeline

03References

04Related CVE