Home / Vulnerability Intelligence / CVE-2026-33953

CVE-2026-33953 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: March 27, 2026

LinkAce - Server Side Request Forgery

Published: March 27, 2026Updated: March 27, 2026Remote Exploitable

Overview

LinkAce < 2.5.3 contains a server-side request forgery caused by allowing server-side requests to internal hostnames, letting authenticated users trigger requests to internal services, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.5

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated users can make the server access internal-only services, potentially exposing sensitive internal resources.

Mitigation

Update to version 2.5.3 or later.

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA-wp4g-qw9j-wfjg

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2026-33953 - High (8.5) LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when those resources are referenced through an inte... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33953/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 27, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-33953
Severity: High
CVSS Score: 8.5
Type: server_side_request_forgery
Status: new
EPSS: 0.0%
Social Posts: 2

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days