VDB

TNCVE-2026-33638

TNCVE-2026-33638 PUBLISHED

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.

Timeline

  • Mar 26, 2026 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›