CVE-2026-35036

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.8

Description Ech0, a self-hosted publishing platform, has an unsafe link preview feature. The GET /api/website/title endpoint is unauthenticated and accepts attacker-controlled URLs. It performs a server-side GET request, reading the entire response body into memory using io.ReadAll. There is no host allowlist, SSRF filter, and InsecureSkipVerify is set to true for outbound client requests. This allows an attacker who can reach the instance to force the Ech0 server to open HTTP/HTTPS URLs of their choice from the server’s network position (Docker bridge, VPC, localhost). The code follows redirects by default, potentially moving the request to internal targets. The full response body is read into memory, creating a potential denial-of-service vector if a large file is targeted. The vulnerability is present in the internal/handler/common/common.go, internal/service/common/common.go, and internal/util/http/http.go components.

Recommendations Versions prior to 4.2.8 should be updated to version 4.2.8 or later. Enforce an SSRF-safe URL policy, removing InsecureSkipVerify and implementing normal TLS verification. Limit redirects and add response size/timeout limits.