{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35036", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.427Z", "datePublished": "2026-04-06T16:55:47.544Z", "dateUpdated": "2026-04-07T14:09:40.939Z"}, "containers": {"cna": {"title": "Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p"}], "affected": [{"vendor": "lin-snow", "product": "Ech0", "versions": [{"version": "< 4.2.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:55:47.544Z"}, "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server\u2019s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8."}], "source": {"advisory": "GHSA-wc4h-2348-jc3p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:09:37.452061Z", "id": "CVE-2026-35036", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:09:40.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:09:37.452061Z"}}}], "references": [{"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:09:30.934Z"}}], "cna": {"title": "Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature", "source": {"advisory": "GHSA-wc4h-2348-jc3p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lin-snow", "product": "Ech0", "versions": [{"status": "affected", "version": "< 4.2.8"}]}], "references": [{"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "name": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server\u2019s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:55:47.544Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35036", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:09:40.939Z", "dateReserved": "2026-03-31T21:06:06.427Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T16:55:47.544Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:*", "matchCriteriaId": "9571E0F6-6EAF-4AFD-AE06-4E579DFE798A", "versionEndExcluding": "4.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server\u2019s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8."}], "id": "CVE-2026-35036", "lastModified": "2026-04-14T19:58:33.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T17:17:12.940", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ech0", "source": "cna", "vendor": "lin-snow"}, "product": "ech0", "vendor": "lin-snow"}], "analysis": {"en": {"generated_at": "2026-04-14T21:46:17.831998+00:00", "value": {"mitigation_remediation": ["Upgrade Ech0 to version 4.2.8 or later."], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery (SSRF)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Ech0 instances running version 4.2.7 or earlier. The affected product is the Ech0 self\u2011hosted publishing platform, which is open source and publicly hosted. Any deployment exposing the API endpoint to external networks is susceptible, regardless of the underlying platform or operating system.", "description_and_impact": "Ech0 exposes an unauthenticated API endpoint that accepts any URL and fetches it without validation. The outbound HTTP client disables certificate verification and imposes no host restriction, allowing an attacker to request internal or privileged URLs through the server, retrieve arbitrary data, and exfiltrate it via the API response. This constitutes a Server\u2011Side Request Forgery vulnerability (CWE\u2011918).", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% shows low current exploitation prevalence. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can trigger the SSRF by simply sending an HTTP request to the exposed endpoint; no special privileges are required. The potential for accessing internal services depends on the server\u2019s network environment, meaning the risk is contingent on how the Ech0 instance is networked and exposed."}}}}, "created": "2026-04-06T21:29:59.591341+00:00", "updated": "2026-04-15T16:30:09.740993+00:00", "vendors": ["lin-snow", "lin-snow$PRODUCT$ech0"]}