CVE-2026-7502 MEDIUM

CVE-2026-7502: LinkStackOrg LinkStack Management Endpoint UserController.php saveLink authorization

Vendor Linkstackorg

Product LinkStack

Weakness CWE-639 · IDOR

Published April 30, 2026

Last update May 1, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Management Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

Key dates

Disclosure timeline

April 30, 2026 CVE published

May 1, 2026 Record updated

Identifiers

CVE CVE-2026-7502

CWE CWE-639

CVSS 5.3 / MEDIUM

Affected versions

Vendor Linkstackorg

Product LinkStack

Affected 4.8.0

Vendor Linkstackorg

Product LinkStack

Affected 4.8.1

Vendor Linkstackorg

Product LinkStack

Affected 4.8.2

Vendor Linkstackorg

Product LinkStack

Affected 4.8.3

Vendor Linkstackorg

Product LinkStack

Affected 4.8.4

Vendor Linkstackorg

Product LinkStack

Affected 4.8.5

Vendor Linkstackorg

Product LinkStack

Affected 4.8.6