GHSA-RGJ7-VG8V-J4WR: Unauthenticated Engagement Metric Inflation in Ech0 Vulnerability ID: GHSA-RGJ7-VG8V-J4WR CVSS Score: 5.3 Published: 2026-05-07 The Ech0 lightweight publishing platform suffers from a missing authentication check (CWE-306) and missing authorization (CWE-862) on the PUT /api/echo/like/:id API endpoint. This vulnerability allows an unauthenticated remote attacker to arbitrarily inflate engagement metrics by repeatedly sending requests, falsifying social proof and generating unnecessary database writes. TL;DR A critical API endpoint in the Ech0 publishing platform was exposed publicly without authentication or user-binding checks. Remote attackers can leverage this to artificially inflate the "like" count of any post via repeated HTTP requests.…