CVE-2026-35036
Brak uwierzytelnienia w Ech0 pozwala na atak SSRF, co umożliwia dostęp do wewnętrznych zasobów.
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-06 17:17:12 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-14 19:58:33 UTC |
- https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p (security-advisories@github.com) [Exploit, Mitigation, Vendor Advisory]