CVE-2025-62721 is a vulnerability identified in Kovah's LinkAce, a self-hosted web link archive tool, affecting versions 2.3.1 and earlier. The flaw resides in the FeedController class, specifically in authenticated RSS feed endpoints that fail to enforce proper authorization checks. As a result, any authenticated user—regardless of their role or ownership—can access all links, lists, and tags stored by every user in the system. This bypasses intended visibility and ownership restrictions, leading to unauthorized exposure of potentially sensitive information. The vulnerability is exploitable remotely over the network without user interaction and requires only low privileges (authenticated user). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and a high impact on confidentiality (VC:H) with no impact on integrity or availability. The vulnerability was reserved on 2025-10-20 and published on 2025-11-04, with no known exploits in the wild at the time of reporting. Kovah fixed the issue in LinkAce version 2.4.0 by implementing proper authorization checks on the RSS feed endpoints. This vulnerability falls under CWE-200 (Exposure of Sensitive Information) and CWE-284 (Improper Access Control).

For European organizations, this vulnerability poses a significant risk to confidentiality, as unauthorized users within the same LinkAce instance can access all stored links and metadata, potentially exposing sensitive business intelligence, research, or personal data. Organizations relying on LinkAce for internal knowledge management or link archiving may inadvertently leak confidential information across departments or to unauthorized personnel. This could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. The lack of impact on integrity and availability limits the threat to information disclosure rather than system disruption or data manipulation. However, the ease of exploitation and the potential volume of exposed data make this a critical concern for sectors handling sensitive information such as finance, healthcare, and government agencies. Since the vulnerability requires authentication, insider threats or compromised accounts are primary vectors. The absence of known exploits in the wild suggests limited immediate risk but does not preclude future exploitation.

The primary and most effective mitigation is to upgrade all LinkAce instances to version 2.4.0 or later, where the authorization checks are properly implemented. Organizations should conduct an inventory of LinkAce deployments and verify versions to prioritize patching. Additionally, review and tighten user access controls and authentication mechanisms to minimize the risk of unauthorized access by insiders or compromised accounts. Implement network segmentation and monitoring to detect unusual access patterns to LinkAce RSS feeds. Consider disabling RSS feed endpoints if not required or restricting access via firewall rules or reverse proxies. Conduct audits of exposed data to assess potential information leakage and notify affected stakeholders if sensitive data exposure is confirmed. Finally, incorporate LinkAce into regular vulnerability management and penetration testing programs to detect similar authorization issues proactively.