CVE-2026-35036: CWE-918: Server-Side Request Forgery (SSRF) in lin-snow Ech0
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
AI Analysis
Technical Summary
Ech0, an open-source self-hosted publishing platform, had an SSRF vulnerability in its link preview feature before version 4.2.8. The GET /api/website/title endpoint accepts any URL without authentication and performs a server-side GET request with InsecureSkipVerify set to true, no host allowlist, and no SSRF protections. This allows an attacker with network access to the Ech0 instance to make the server fetch arbitrary URLs, potentially accessing internal network resources or services. The vulnerability is tracked as CWE-918 and has a CVSS 3.1 score of 7.5 (high severity).
Potential Impact
An attacker who can reach the vulnerable Ech0 instance can cause the server to make arbitrary HTTP/HTTPS requests from its network position, potentially accessing internal or protected resources. The vulnerability does not directly impact data integrity or availability but can lead to information disclosure by accessing internal endpoints. The CVSS score reflects high confidentiality impact with no integrity or availability impact.
Mitigation Recommendations
This vulnerability is fixed in Ech0 version 4.2.8. Users should upgrade to version 4.2.8 or later to remediate the issue. Since no official patch link or advisory was provided, verify the upgrade availability from the vendor's official source. Until upgraded, restrict network access to the vulnerable endpoint to trusted users only to reduce exploitation risk.
CVE-2026-35036: CWE-918: Server-Side Request Forgery (SSRF) in lin-snow Ech0
Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Ech0, an open-source self-hosted publishing platform, had an SSRF vulnerability in its link preview feature before version 4.2.8. The GET /api/website/title endpoint accepts any URL without authentication and performs a server-side GET request with InsecureSkipVerify set to true, no host allowlist, and no SSRF protections. This allows an attacker with network access to the Ech0 instance to make the server fetch arbitrary URLs, potentially accessing internal network resources or services. The vulnerability is tracked as CWE-918 and has a CVSS 3.1 score of 7.5 (high severity).
Potential Impact
An attacker who can reach the vulnerable Ech0 instance can cause the server to make arbitrary HTTP/HTTPS requests from its network position, potentially accessing internal or protected resources. The vulnerability does not directly impact data integrity or availability but can lead to information disclosure by accessing internal endpoints. The CVSS score reflects high confidentiality impact with no integrity or availability impact.
Mitigation Recommendations
This vulnerability is fixed in Ech0 version 4.2.8. Users should upgrade to version 4.2.8 or later to remediate the issue. Since no official patch link or advisory was provided, verify the upgrade availability from the vendor's official source. Until upgraded, restrict network access to the vulnerable endpoint to trusted users only to reduce exploitation risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.427Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ea320a160ebd92c9fd87
Added to database: 4/6/2026, 5:15:30 PM
Last enriched: 4/6/2026, 5:31:00 PM
Last updated: 4/7/2026, 6:45:39 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.