Lucene search
+L

34 matches found

redhatcve
redhatcve
added 2026/04/07 5:3 p.m.6 views

CVE-2026-35036

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts ...

7.5CVSS5.9AI score0.00327EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/04/07 5:3 p.m.4 views

CVE-2026-35037

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...

7.2CVSS6AI score0.00289EPSS
Exploits2References1
vulnrichment
vulnrichment
added 2026/04/06 4:56 p.m.1 views

CVE-2026-35037 Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...

7.2CVSS6AI score0.00289EPSS
Exploits2References1
cvelist
cvelist
added 2026/04/06 4:56 p.m.21 views

CVE-2026-35037 Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...

7.2CVSS0.00289EPSS
Exploits2References1
cve
cve
added 2026/04/06 4:56 p.m.22 views

CVE-2026-35037

Ech0 (GetWebsiteTitle endpoint) is affected by an unauthenticated SSRF vulnerability (CVE-2026-35037) prior to version 4.2.8. The GET /api/website/title endpoint accepts a user-supplied website_url, makes a server-side HTTP request without validating the target, and returns the HTML title content...

7.2CVSS6AI score0.00289EPSS
Exploits2References1Affected Software1
osv
osv
added 2026/04/06 4:56 p.m.3 views

CVE-2026-35037 Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...

7.2CVSS6.1AI score0.00289EPSS
Exploits2References3
vulnrichment
vulnrichment
added 2026/04/06 4:55 p.m.1 views

CVE-2026-35036 Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts ...

7.5CVSS5.9AI score0.00327EPSS
Exploits1References1
cnnvd
cnnvd
added 2026/04/06 12:0 a.m.7 views

Ech0 代码问题漏洞

Ech0 is a self-hosted personal microblogging platform developed by L1nSn0w. Versions of Ech0 prior to 4.2.8 had code vulnerabilities. These vulnerabilities stemmed from the GET /api/website/title endpoint, which made server-side HTTP requests to arbitrary URLs without verification. This could all...

7.2CVSS6AI score0.00289EPSS
Exploits2References1
snyk
snyk
added 2026/04/03 3:30 a.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the GET /api/website/title endpoint. An attacker can access internal or restricted network resources and potentially exfiltrate sensitive information by supplying a crafted URL to the unauthenticated...

8.7CVSS5.7AI score0.00327EPSS
Exploits3References2
osv
osv
added 2026/04/03 3:30 a.m.2 views

GHSA-WC4H-2348-JC3P Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature

Summary Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body...

7.5CVSS6AI score0.00327EPSS
Exploits1References3
github
github
added 2026/04/03 3:30 a.m.8 views

Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature

Summary Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body...

7.5CVSS5.8AI score0.00327EPSS
Exploits1References3Affected Software1
ptsecurity
ptsecurity
added 2026/04/03 12:0 a.m.8 views

PT-2026-30015

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.8 Description The GET /api/website/title endpoint is susceptible to Server-Side Request Forgery SSRF. The endpoint accepts an arbitrary URL via the website url query parameter and makes a server-side HTTP request to ...

7.2CVSS6AI score0.00289EPSS
Exploits2References6
euvd
euvd
added 2025/10/07 12:30 a.m.5 views

EUVD-2017-9068

Malware in sbrugna...

4.8CVSS5.1AI score0.0054EPSS
Exploits1References2
redhatcve
redhatcve
added 2025/05/23 4:3 a.m.7 views

CVE-2023-36942

A cross-site scripting XSS vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the website title field...

6.1CVSS5.8AI score0.0048EPSS
Exploits1
nvd
nvd
added 2024/04/17 9:15 p.m.19 views

CVE-2024-32340

A cross-site scripting XSS vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu module...

9.6CVSS5.6AI score0.00711EPSS
Exploits1References1
cnnvd
cnnvd
added 2024/04/17 12:0 a.m.2 views

WonderCMS 安全漏洞

WonderCMS is an open source PHP-based content management system CMS. A security vulnerability exists in WonderCMS version v3.4.3, which originates from a cross-site scripting XSS vulnerability in the Settings section. An attacker can exploit this vulnerability to execute arbitrary web script or...

9.6CVSS5.8AI score0.00711EPSS
Exploits1References2
ptsecurity
ptsecurity
added 2024/04/17 12:0 a.m.9 views

PT-2024-24519 · Wondercms · Wondercms

Name of the Vulnerable Software and Affected Versions: WonderCMS version 3.4.3 Description: A cross-site scripting XSS vulnerability in the Settings section allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu...

9.6CVSS6AI score0.00711EPSS
Exploits1References8
cvelist
cvelist
added 2024/04/17 12:0 a.m.25 views

CVE-2024-32340

A cross-site scripting XSS vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu module...

5.7AI score0.00711EPSS
Exploits1References1
nvd
nvd
added 2023/09/27 3:19 p.m.20 views

CVE-2023-44043

A reflected cross-site scripting XSS vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter...

6.1CVSS5.9AI score0.00482EPSS
Exploits1References1
osv
osv
added 2023/09/27 3:19 p.m.15 views

CVE-2023-44043

A reflected cross-site scripting XSS vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter...

6.1CVSS5.9AI score
Exploits0References1
Rows per page
Query Builder