CVE-2026-45344 HIGH

CVE-2026-45344: LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances

Vendor Kovah
Product LinkAce
Weakness CWE-74
Published May 28, 2026
Last update June 1, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 1, 2026 Record updated