Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

CVE
CVEadded 2026/03/26 8:52 p.m.8 views

CVE-2026-33638

CVE-2026-33638 (Ech0) : Prior to version 4.2.0, the public endpoint GET /api/allusers exposes user records without authentication, enabling remote unauthenticated user enumeration and exposure of user profile metadata. The issue is in the internal/router handling of /api/allusers. A fix is availa...

5.3CVSS5.8AI score0.00484EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/03/26 8:52 p.m.2 views

CVE-2026-33638

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

5.3CVSS5.8AI score0.00484EPSS
Exploits0References4Affected Software1
OSV
OSVadded 2026/03/26 8:52 p.m.2 views

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

5.3CVSS6.4AI score0.00484EPSS
Exploits0References5
Cvelist
Cvelistadded 2026/03/26 8:52 p.m.19 views

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

5.3CVSS0.00484EPSS
Exploits0References3
OSV
OSVadded 2026/03/26 8:33 p.m.1 views

GO-2026-4838 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint in github.com/lin-snow/ech0

Ech0 authenticated user-list exposed data via public /api/allusers endpoint in github.com/lin-snow/ech0...

5.3CVSS5.8AI score0.00484EPSS
Exploits0References3
Snyk
Snykadded 2026/03/26 8:33 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/allusers endpoint. An attacker can access sensitive user information by sending requests to this publicly accessible API endpoint. Remediation Upgrade github.com/lin-snow/ech0/internal/router to versio...

6.9CVSS5.9AI score0.00484EPSS
Exploits0References3
CNNVD
CNNVDadded 2026/03/26 12:0 a.m.2 views

Ech0 安全漏洞

Ech0 is a self-hosted personal microblogging platform developed by L1nSn0w. Versions of Ech0 prior to 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the GET /api/allusers endpoint, which returned user records without verification, potentially allowing unauthorized...

5.3CVSS6.4AI score0.00484EPSS
Exploits0References4
Rows per page
Query Builder