CVE-2026-45344 affects LinkAce, a self-hosted website link archive application. The vulnerability exists in versions prior to 2.5.6 where the database setup configuration flow on uninitialized instances accepts attacker-controlled database credentials without proper escaping. These credentials are written directly to the .env file, allowing attackers to inject mail configuration variables. When the application later sends mail, this leads to remote command execution. The vulnerability requires access to setup endpoints and control of a database that the application connects to. This issue has been patched in version 2.5.6.