# CVE-2026-40905

> Vulnerability · severity: **HIGH** (CVSS 8.1).

## Description

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

## Key facts

- **CVE ID:** CVE-2026-40905
- **Published:** 2026-04-21
- **CVSS severity:** HIGH
- **CVSS base score:** 8.1
- **CWE codes:** CWE-601

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40905

## Citation

> AI Analytics. CVE-2026-40905. Retrieved 2026-07-16 from https://api.ai-analytics.org/cve/CVE-2026-40905. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*