VYPR

Go modules package

github.com/lin-snow/ech0

pkg:golang/github.com/lin-snow/ech0

Vulnerabilities (3)

  • CVE-2026-35037HigApr 6, 2026
    affected < 1.4.8-0.20260401031029-4ca56fea5ba4fixed 1.4.8-0.20260401031029-4ca56fea5ba4

    Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host

  • CVE-2026-35036HigApr 6, 2026
    affected < 1.4.8-0.20260401031029-4ca56fea5ba4fixed 1.4.8-0.20260401031029-4ca56fea5ba4

    Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauth

  • CVE-2026-33638MedMar 26, 2026
    affected < 1.4.8-0.20260322121226-acbf1fd71011fixed 1.4.8-0.20260322121226-acbf1fd71011

    Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user