{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40905", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-21T20:02:35.006Z", "dateUpdated": "2026-04-21T20:35:49.598Z"}, "containers": {"cna": {"title": "LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv"}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"version": "< 2.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:02:35.006Z"}, "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim\u2019s password, leading to full account takeover. This vulnerability is fixed in 2.5.4."}], "source": {"advisory": "GHSA-48wv-jpf4-vjfv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:33:04.310837Z", "id": "CVE-2026-40905", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:35:49.598Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40905", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T20:33:04.310837Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:33:07.589Z"}}], "cna": {"title": "LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover", "source": {"advisory": "GHSA-48wv-jpf4-vjfv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Kovah", "product": "LinkAce", "versions": [{"status": "affected", "version": "< 2.5.4"}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv", "name": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim\u2019s password, leading to full account takeover. This vulnerability is fixed in 2.5.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:02:35.006Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40905", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:35:49.598Z", "dateReserved": "2026-04-15T16:37:22.767Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T20:02:35.006Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim\u2019s password, leading to full account takeover. This vulnerability is fixed in 2.5.4."}], "id": "CVE-2026-40905", "lastModified": "2026-04-22T21:08:48.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:44.503", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LinkAce", "source": "cna", "vendor": "Kovah"}, "product": "linkace", "vendor": "kovah"}], "analysis": {"en": {"generated_at": "2026-04-22T07:15:01.705993+00:00", "value": {"mitigation_remediation": ["Upgrade LinkAce to version 2.5.4 or later, where the X\u2011Forwarded\u2011Host header validation is fixed.", "If an upgrade cannot be performed immediately, configure your web server or the application to reject or sanitize the X\u2011Forwarded\u2011Host header so that only trusted internal proxies can supply it, blocking user\u2011controlled values.", "Implement email monitoring or phishing\u2011filtering rules that flag password\u2011reset links with hostnames that differ from the legitimate domain before users click them.", "Enforce HTTPS for all reset links and reduce the token lifetime to narrow the window for interception."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via password reset poisoning"}, "threat_synthesis": {"affected_systems": "Kovah\u2019s LinkAce self\u2011hosted link\u2011storage application, any installation running a version older than 2.5.4, regardless of operating system, web server, or database. The vulnerability manifests when the X\u2011Forwarded\u2011Host header is allowed to pass from the client to the application during a reset request.", "description_and_impact": "This vulnerability arises in versions of LinkAce prior to 2.5.4, where the application accepts the X\u2011Forwarded\u2011Host header as trusted when constructing password\u2011reset URLs. By forging this header in a password\u2011reset request, an attacker can cause the system to generate an email containing a reset link that points to an attacker\u2011controlled domain. The victim subsequently receives the email, clicks the link, and the embedded reset token is sent to the attacker\u2019s server. The attacker can then use that token to reset the victim\u2019s password, thereby taking full control of the account. The flaw is a classic open\u2011redirect style injection, classified under CWE\u2011601.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. No publicly documented privileged\u2011access requirement is mentioned; this lack suggests the exploit can be achieved with user\u2011level or even unauthenticated access, a conclusion inferred from the advisory text. The EPSS score is not published, so the exact exploitation probability cannot be quantified. Attackers can set the header directly on the reset request or through a compromised internal proxy, enabling them to force the application to send a reset link to a malicious domain. The vulnerability is not listed in CISA\u2019s KEV catalog, implying no known active exploitation; however, the straightforward nature of the attack could readily support large\u2011scale phishing campaigns."}}}}, "created": "2026-04-22T04:15:07.392842+00:00", "updated": "2026-04-22T07:15:11.677675+00:00", "vendors": ["kovah", "kovah$PRODUCT$linkace"]}