Go modules package
github.com/lin-snow/ech0
pkg:golang/github.com/lin-snow/ech0
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35037 | Hig | 7.2 | < 1.4.8-0.20260401031029-4ca56fea5ba4 | 1.4.8-0.20260401031029-4ca56fea5ba4 | Apr 6, 2026 | Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host | |
| CVE-2026-35036 | Hig | 7.5 | < 1.4.8-0.20260401031029-4ca56fea5ba4 | 1.4.8-0.20260401031029-4ca56fea5ba4 | Apr 6, 2026 | Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauth | |
| CVE-2026-33638 | Med | 5.3 | < 1.4.8-0.20260322121226-acbf1fd71011 | 1.4.8-0.20260322121226-acbf1fd71011 | Mar 26, 2026 | Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user |
- affected < 1.4.8-0.20260401031029-4ca56fea5ba4fixed 1.4.8-0.20260401031029-4ca56fea5ba4
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host
- affected < 1.4.8-0.20260401031029-4ca56fea5ba4fixed 1.4.8-0.20260401031029-4ca56fea5ba4
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauth
- affected < 1.4.8-0.20260322121226-acbf1fd71011fixed 1.4.8-0.20260322121226-acbf1fd71011
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user