CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33638

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33638

CVE-2026-33638 (Ech0) : Prior to version 4.2.0, the public endpoint GET /api/allusers exposes user records without authentication, enabling remote unauthenticated user enumeration and exposure of user profile metadata. The issue is in the internal/router handling of /api/allusers. A fix is availa...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/allusers endpoint. An attacker can access sensitive user information by sending requests to this publicly accessible API endpoint. Remediation Upgrade github.com/lin-snow/ech0/internal/router to versio...

GO-2026-4838 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint in github.com/lin-snow/ech0

Ech0 authenticated user-list exposed data via public /api/allusers endpoint in github.com/lin-snow/ech0...

Ech0 安全漏洞

Ech0 is a self-hosted personal microblogging platform developed by L1nSn0w. Versions of Ech0 prior to 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the GET /api/allusers endpoint, which returned user records without verification, potentially allowing unauthorized...

Malicious code in sap-allusers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d5eacfc5bc68ef30f29755795ed8ff32a858d41764d8e98b1e3e4525fe339f04 The OpenSSF Package Analysis project identified 'sap-allusers' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...

MAL-2024-7541 Malicious code in sap-allusers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d5eacfc5bc68ef30f29755795ed8ff32a858d41764d8e98b1e3e4525fe339f04 The OpenSSF Package Analysis project identified 'sap-allusers' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...

Udemy: S3 bucket unnecessarily discloses permissions

The 'udemy-images' bucket allows the 'AllUsers' group to list ACLs that are applied to the bucket. By navigating to: https://udemy-images.udemy.com or by using the aws-cli tool an attacker can see which users have READ, WRITE, READACP, and WRITEACP rights. Doing this now we can see one user who h...