Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
Published: 2026-04-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF)
Action: Patch Now
AI Analysis

Impact

Ech0 exposes an unauthenticated API endpoint that accepts any URL and fetches it without validation. The outbound HTTP client disables certificate verification and imposes no host restriction, allowing an attacker to request internal or privileged URLs through the server, retrieve arbitrary data, and exfiltrate it via the API response. This constitutes a Server‑Side Request Forgery vulnerability (CWE‑918).

Affected Systems

The vulnerability affects all Ech0 instances running version 4.2.7 or earlier. The affected product is the Ech0 self‑hosted publishing platform, which is open source and publicly hosted. Any deployment exposing the API endpoint to external networks is susceptible, regardless of the underlying platform or operating system.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% shows low current exploitation prevalence. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the SSRF by simply sending an HTTP request to the exposed endpoint; no special privileges are required. The potential for accessing internal services depends on the server’s network environment, meaning the risk is contingent on how the Ech0 instance is networked and exposed.

Generated by OpenCVE AI on April 14, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ech0 to version 4.2.8 or later.

Generated by OpenCVE AI on April 14, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wc4h-2348-jc3p Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature
History

Tue, 14 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Ech0
Ech0 ech0
CPEs cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:*
Vendors & Products Ech0
Ech0 ech0

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Lin-snow
Lin-snow ech0
Vendors & Products Lin-snow
Lin-snow ech0

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
Title Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ech0 Ech0
Lin-snow Ech0
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:09:40.939Z

Reserved: 2026-03-31T21:06:06.427Z

Link: CVE-2026-35036

cve-icon Vulnrichment

Updated: 2026-04-07T14:09:30.934Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:12.940

Modified: 2026-04-14T19:58:33.303

Link: CVE-2026-35036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses