LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

Basic Information

ID CVE-2026-40905

Source GitHub_M

Published Apr 21, 2026 at 20:02

Modified Apr 21, 2026 at 20:35

Affected Product

Vendor Kovah

Product LinkAce

Version < 2.5.4

Affected Versions Kovah LinkAce < 2.5.4

CWE Classification

CWE-601

References

github.com /Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv

{
    "lastseen": "",
    "description": "LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim\u2019s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.",
    "published": "2026-04-21T20:02:35.006Z",
    "modified": "2026-04-21T20:35:49.598Z",
    "type": "cve",
    "title": "LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover",
    "source": "GitHub_M",
    "references": "https://github.com/Kovah/LinkAce/security/advisories/GHSA-48wv-jpf4-vjfv",
    "id": "CVE-2026-40905",
    "bulletinFamily": "",
    "cwe": [
        "CWE-601"
    ],
    "cvelist": null,
    "sourceData": "Kovah LinkAce < 2.5.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LinkAce",
    "version": "< 2.5.4",
    "vendor": "Kovah",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover_CVE-2026-40905