Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 01 Jun 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 28 May 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kovah
Kovah linkace |
|
| Vendors & Products |
Kovah
Kovah linkace |
Thu, 28 May 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6. | |
| Title | LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances | |
| Weaknesses | CWE-74 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-01T18:50:46.262Z
Reserved: 2026-05-11T21:40:08.177Z
Link: CVE-2026-45344
Updated: 2026-06-01T18:50:12.009Z
Status : Deferred
Published: 2026-05-28T22:17:00.497
Modified: 2026-06-01T21:16:45.717
Link: CVE-2026-45344
No data.
OpenCVE Enrichment
Updated: 2026-05-28T23:00:15Z