CVE-2026-35036
Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lin-snow/ech0Go | < 1.4.8-0.20260401031029-4ca56fea5ba4 | 1.4.8-0.20260401031029-4ca56fea5ba4 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3pnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-wc4h-2348-jc3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35036ghsaADVISORY
News mentions
0No linked articles in our index yet.