CVE-2025-62720 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information) and CWE-284 (Improper Access Control) affecting Kovah's LinkAce, a self-hosted link archive application. Versions prior to 2.4.0 contain a critical flaw in the ExportController class, which handles exporting user links in HTML and CSV formats. The export functions fail to apply any ownership or visibility filtering, allowing any authenticated user to retrieve the entire database of links, including private links that should be restricted to their respective owners. This bypasses the application's access control mechanisms implemented elsewhere, effectively exposing sensitive user data to unauthorized actors. The vulnerability is remotely exploitable over the network without requiring elevated privileges beyond authentication and does not require user interaction. The CVSS 4.0 score of 7.1 reflects a high severity due to the network attack vector, low attack complexity, no need for privileges beyond authentication, and the high confidentiality impact. Although no known exploits are currently reported in the wild, the flaw presents a significant risk of data leakage. The issue was publicly disclosed on November 4, 2025, and fixed in LinkAce version 2.4.0. Organizations using vulnerable versions should prioritize upgrading and reviewing access controls to prevent unauthorized data exposure.

For European organizations, this vulnerability poses a significant risk of sensitive information leakage. LinkAce is often used to manage and archive web links, which may include confidential business resources, internal documentation, or private research links. Unauthorized access to the entire link database can lead to exposure of proprietary information, intellectual property, or personal data, potentially violating GDPR and other privacy regulations. This could result in reputational damage, regulatory fines, and loss of competitive advantage. The vulnerability's exploitation requires only authenticated access, which could be obtained through compromised credentials or insider threats, increasing the risk. Additionally, the broad scope of data exposure affects all users within an organization, amplifying the potential damage. European entities relying on self-hosted productivity and knowledge management tools are particularly vulnerable if they have not applied the patch or implemented compensating controls.

The primary mitigation is to upgrade all LinkAce instances to version 2.4.0 or later, where the export functionality properly enforces ownership and visibility filters. Organizations should audit their current LinkAce deployments to identify affected versions and prioritize patching. In parallel, review and tighten user authentication and authorization policies to limit access to trusted users only. Implement monitoring and alerting for unusual export activities or bulk data access patterns. Consider restricting export functionality to administrative roles or trusted personnel until the patch is applied. Additionally, conduct a thorough review of exported data to assess any potential data leakage and notify affected users if necessary. Employ network segmentation and access controls to limit exposure of the LinkAce server to only necessary internal users. Finally, educate users about credential security to reduce the risk of unauthorized authenticated access.