CVE-2025-62720 affects Kovah LinkAce, a self-hosted link archive application widely used for organizing and sharing website links. In versions 2.3.1 and earlier, the ExportController class responsible for exporting links via HTML or CSV formats fails to apply any ownership or visibility filtering. This means that any authenticated user can export the entire database of links, including private links that should only be accessible to their owners. The vulnerability stems from improper access control implementation (CWE-284) and results in exposure of sensitive information (CWE-200). Because the export functions retrieve all links indiscriminately, the confidentiality of all users' private links is compromised. Exploitation requires only authenticated access, no additional user interaction, and can be performed remotely over the network. The vulnerability was publicly disclosed on November 4, 2025, with no known exploits in the wild at the time of publication. The issue is resolved in LinkAce version 2.4.0, which enforces proper ownership and visibility checks during export operations. The CVSS 4.0 vector (AV:N/AC:L/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity, requiring low privileges but no user interaction, and resulting in high confidentiality impact without affecting integrity or availability.

For European organizations, this vulnerability poses a significant risk of sensitive data leakage. LinkAce is often used by teams to manage and share curated links, some of which may contain confidential or proprietary information. Unauthorized export of all users' private links could lead to exposure of internal resources, intellectual property, or sensitive operational data. This could facilitate further attacks such as social engineering, phishing, or reconnaissance by adversaries. Organizations in regulated sectors (e.g., finance, healthcare, government) face additional compliance risks due to potential breaches of data protection laws like GDPR. The ease of exploitation combined with the broad scope of data exposure makes this vulnerability particularly impactful for enterprises relying on LinkAce for internal knowledge management. While no known exploits are reported yet, the vulnerability’s public disclosure increases the risk of active exploitation attempts.

European organizations using Kovah LinkAce should immediately upgrade to version 2.4.0 or later, where the vulnerability is fixed by enforcing proper access control checks on export functions. Until upgrading is possible, organizations should restrict LinkAce access to trusted users only and consider disabling export functionality temporarily to prevent data leakage. Implement network segmentation and firewall rules to limit access to the LinkAce server. Monitor authentication logs for unusual export activity or large data downloads. Conduct an internal audit of exported data access and review user privileges to ensure minimal necessary access. Additionally, organizations should educate users about the risks of sharing credentials and enforce strong authentication mechanisms to reduce the risk of unauthorized access. Regularly applying security patches and maintaining an inventory of self-hosted applications will help prevent similar issues.