Description

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.

INFO

Published Date :

2026-04-06T16:55:47.544Z

Last Modified :

2026-04-06T16:55:47.544Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35036 vulnerability.

Vendors Products
Lin-snow
  • Ech0
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35036.

URL Resource
https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact