The vulnerability lies in the GET /api/website/title endpoint of Ech0, which accepts an arbitrary URL via the website_url query parameter. Because the server performs an unvalidated HTTP request without requiring authentication, an attacker can trigger a Server‐Side Request Forgery. This allows the attacker to reach internal network services, cloud metadata endpoints such as 169.254.169.254, and localhost‐bound services, and the resulting response data can be partially exfiltrated through the HTML <title> tag, leaking sensitive information.

The issue affects the open‑source Ech0 publishing platform from lin‑snow, specifically any release prior to version 4.2.8. Users running version 4.2.7 or earlier are vulnerable, while version 4.2.8 and later include the fix that validates and restricts outbound requests. No other products or vendors are listed in the advisory.

The CVSS score of 7.2 classifies the flaw as high severity, and the endpoint is publicly accessible without authentication, making exploitation straightforward. EPSS data is not available, and the vulnerability is not currently in CISA’s KEV catalog; however, the ability to reach internal or cloud metadata services poses a real threat. The attack path involves sending a crafted GET request to /api/website/title with a malicious website_url pointing to an internal endpoint, after which portions of the response are returned in the <title> tag and can be read by the attacker.