CVE-2026-35036

Ech0 is vulnerable to an unauthenticated server-side request forgery (SSRF) via GET /api/website/title. The endpoint accepts a fully attacker-controlled URL and performs a server-side HTTP(S) fetch from the Ech0 instance, reading the entire response into memory. No host allowlist or SSRF filterin...

CVE-2026-35036 Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts ...

EUVD-2021-22609

Malware in sbrugna...

CVE-2023-2793

Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message...

Code injection

Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message...

CVE-2021-35976

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server...