CVE-2026-35036

HIGH

Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature

Title source: cna

Description

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p

Scores

CVSS v3 7.5

EPSS 0.0033

EPSS Percentile 24.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

ech0/ech0 < 4.2.8

lin-snow/ech0 0 - 1.4.8-0.20260401031029-4ca56fea5ba4Go

lin-snow/Ech0 < 4.2.8

Published Apr 06, 2026

Tracked Since Apr 06, 2026