Description
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.
References (3)
Core 3
Core References
Not Applicable
http://echo.com
Third Party Advisory
https://gist.github.com/Paxsizy/9d92e8746778cf0926705d89b4f3618c
Product
https://github.com/Veal98/Echo
Scores
CVSS v3
7.5
EPSS
0.0010
EPSS Percentile
28.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
interviewx/echo
2.2
interviewx/echo
2.3
Published
Nov 25, 2025
Tracked Since
Feb 18, 2026