{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35037", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T16:56:54.674Z", "dateUpdated": "2026-04-06T18:48:39.909Z"}, "containers": {"cna": {"title": "Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc"}], "affected": [{"vendor": "lin-snow", "product": "Ech0", "versions": [{"version": "< 4.2.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:56:54.674Z"}, "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8."}], "source": {"advisory": "GHSA-cqgf-f4x7-g6wc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:48:29.734295Z", "id": "CVE-2026-35037", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:48:39.909Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35037", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:48:29.734295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:48:35.305Z"}}], "cna": {"title": "Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata", "source": {"advisory": "GHSA-cqgf-f4x7-g6wc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "lin-snow", "product": "Ech0", "versions": [{"status": "affected", "version": "< 4.2.8"}]}], "references": [{"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc", "name": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:56:54.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35037", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:48:39.909Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T16:56:54.674Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8."}], "id": "CVE-2026-35037", "lastModified": "2026-04-06T17:17:13.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T17:17:13.093", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ech0", "source": "cna", "vendor": "lin-snow"}, "product": "ech0", "vendor": "lin-snow"}], "analysis": {"en": {"generated_at": "2026-04-06T21:21:14.841015+00:00", "value": {"mitigation_remediation": ["Upgrade Ech0 to version 4.2.8 or later to apply the SSRF fix.", "If an upgrade is not immediately possible, restrict outbound HTTP requests from the Ech0 server to internal IP ranges or implement a firewall rule to block 127.0.0.1, 169.254.169.254, and the local network.", "Monitor network traffic for unusual SSRF patterns and check Ech0 for new releases."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure via Unauthenticated SSRF"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source Ech0 publishing platform from lin\u2011snow, specifically any release prior to version 4.2.8. Users running version 4.2.7 or earlier are vulnerable, while version 4.2.8 and later include the fix that validates and restricts outbound requests. No other products or vendors are listed in the advisory.", "description_and_impact": "The vulnerability lies in the GET /api/website/title endpoint of Ech0, which accepts an arbitrary URL via the website_url query parameter. Because the server performs an unvalidated HTTP request without requiring authentication, an attacker can trigger a Server\u2010Side Request Forgery. This allows the attacker to reach internal network services, cloud metadata endpoints such as 169.254.169.254, and localhost\u2010bound services, and the resulting response data can be partially exfiltrated through the HTML <title> tag, leaking sensitive information.", "risk_and_exploitability": "The CVSS score of 7.2 classifies the flaw as high severity, and the endpoint is publicly accessible without authentication, making exploitation straightforward. EPSS data is not available, and the vulnerability is not currently in CISA\u2019s KEV catalog; however, the ability to reach internal or cloud metadata services poses a real threat. The attack path involves sending a crafted GET request to /api/website/title with a malicious website_url pointing to an internal endpoint, after which portions of the response are returned in the <title> tag and can be read by the attacker."}}}}, "created": "2026-04-06T21:29:58.638479+00:00", "updated": "2026-04-06T21:31:30.333462+00:00", "vendors": ["lin-snow", "lin-snow$PRODUCT$ech0"]}