Insecure Implementation of Link Preview in Ech0 Publishing Platform
CVE-2026-35036

7.5HIGH

Key Information:

Vendor: Lin-snow
Status: Ech0
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35036?

Ech0 is a self-hosted publishing platform that allows users to share ideas. Prior to version 4.2.8, the platform's implementation of link preview functionality was vulnerable due to the lack of authentication and validation on the URL being fetched. This flaw permits any user with access to the Ech0 instance to send arbitrary HTTP or HTTPS requests to any URL, potentially leading to unauthorized data exposure. The vulnerability arises from server-side processing that does not verify the incoming requests against a host allowlist and lacks protections against server-side request forgery (SSRF) attacks. The implementation of InsecureSkipVerify further exacerbates the issue, exposing the server to greater risk. Users are advised to upgrade to version 4.2.8 to mitigate this vulnerability.

Affected Version(s)

Ech0 < 4.2.8

References

https://github.com/lin-snow/Ech0/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-35036 Data

JSON

Lin-snow

What is CVE-2026-35036?

Affected Version(s)

References

CVSS V3.1

Timeline