Skip to main content

Echo

5 CVEs product

Monthly

CVE-2026-55677 HIGH PATCH This Week

Path-based access control bypass in the LabStack Echo Go web framework (versions prior to 4.15.3 and 5.2.0) lets remote attackers retrieve protected static files without authorization. The flaw stems from the router matching routes on the raw encoded path (keeping %2F literal) while StaticDirectoryHandler decodes %2F to '/' before filesystem resolution, so a crafted URL slips past route-level guards. There is no public exploit identified at time of analysis and no CISA KEV listing; CVSS is 7.5 (confidentiality-only).

Path Traversal Echo
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-25766 Go MEDIUM POC PATCH This Month

Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. Public exploit code exists for this medium-severity vulnerability, though a patch is available in version 5.0.3.

Windows Golang Path Traversal Echo Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-51741 HIGH This Week

An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Echo
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2022-40083 Go CRITICAL POC PATCH Act Now

Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Redirect Echo
NVD GitHub
CVSS 3.1
9.6
EPSS
2.3%
CVE-2015-8007 MEDIUM PATCH This Month

The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Echo
NVD
CVSS 2.0
4.0
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path-based access control bypass in the LabStack Echo Go web framework (versions prior to 4.15.3 and 5.2.0) lets remote attackers retrieve protected static files without authorization. The flaw stems from the router matching routes on the raw encoded path (keeping %2F literal) while StaticDirectoryHandler decodes %2F to '/' before filesystem resolution, so a crafted URL slips past route-level guards. There is no public exploit identified at time of analysis and no CISA KEV listing; CVSS is 7.5 (confidentiality-only).

Path Traversal Echo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. Public exploit code exists for this medium-severity vulnerability, though a patch is available in version 5.0.3.

Windows Golang Path Traversal +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Echo
NVD GitHub
EPSS 2% CVSS 9.6
CRITICAL POC PATCH Act Now

Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Redirect Echo
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Echo
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy