33 matches found
CVE-2026-35036
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts ...
CVE-2026-35037
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...
CVE-2026-35037
Ech0 (GetWebsiteTitle endpoint) is affected by an unauthenticated SSRF vulnerability (CVE-2026-35037) prior to version 4.2.8. The GET /api/website/title endpoint accepts a user-supplied website_url, makes a server-side HTTP request without validating the target, and returns the HTML title content...
CVE-2026-35037 Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...
CVE-2026-35037 Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...
CVE-2026-35036 Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts ...
Ech0 代码问题漏洞
Ech0 is a self-hosted personal microblogging platform developed by L1nSn0w. Versions of Ech0 prior to 4.2.8 had code vulnerabilities. These vulnerabilities stemmed from the GET /api/website/title endpoint, which made server-side HTTP requests to arbitrary URLs without verification. This could all...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the GET /api/website/title endpoint. An attacker can access internal or restricted network resources and potentially exfiltrate sensitive information by supplying a crafted URL to the unauthenticated...
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature
Summary Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body...
GHSA-WC4H-2348-JC3P Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature
Summary Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body...
PT-2026-30015
Summary The GET /api/website/title endpoint accepts an arbitrary URL via the website url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network...
EUVD-2017-9068
Malware in sbrugna...
CVE-2023-36942
A cross-site scripting XSS vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the website title field...
CVE-2024-32340
A cross-site scripting XSS vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu module...
CVE-2024-32340
A cross-site scripting XSS vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu module...
PT-2024-24519 · Wondercms · Wondercms
Name of the Vulnerable Software and Affected Versions: WonderCMS version 3.4.3 Description: A cross-site scripting XSS vulnerability in the Settings section allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu...
WonderCMS 安全漏洞
WonderCMS is an open source PHP-based content management system CMS. A security vulnerability exists in WonderCMS version v3.4.3, which originates from a cross-site scripting XSS vulnerability in the Settings section. An attacker can exploit this vulnerability to execute arbitrary web script or...
CVE-2023-44043
A reflected cross-site scripting XSS vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter...
CVE-2023-44043
A reflected cross-site scripting XSS vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter...
CVE-2023-44043
A reflected cross-site scripting XSS vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter...