Vulnerability Description
LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists, and tags from all users in the system, regardless of their ownership or visibility settings. This issue is fixed in version 2.4.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linkace | Linkace | < 2.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/Kovah/LinkAce/commit/1fef32694cee2bd80892fb478416be9364c3fdddPatch
- https://github.com/Kovah/LinkAce/releases/tag/v2.4.0Release Notes
- https://github.com/Kovah/LinkAce/security/advisories/GHSA-47g2-qw6q-cr96ExploitVendor Advisory
- https://github.com/Kovah/LinkAce/security/advisories/GHSA-47g2-qw6q-cr96ExploitVendor Advisory
FAQ
What is CVE-2025-62721?
CVE-2025-62721 is a vulnerability with a CVSS score of 6.5 (MEDIUM). LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allo...
How severe is CVE-2025-62721?
CVE-2025-62721 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62721?
Check the references section above for vendor advisories and patch information. Affected products include: Linkace Linkace.