Ech0

Open-source personal publishing, honestly reviewed. No marketing fluff — just what you get when you run it on your own server.

TL;DR

• What it is: Open-source (AGPL-3.0) personal microblog platform — think a self-hosted Twitter-lite where you own the timeline, the data, and the domain [1][2].
• Who it’s for: Individual creators who want a clean, low-overhead publishing space for short-form thoughts, links, and notes — and want that space on their own infrastructure [README].
• Cost: Software is free. VPS to run it costs ~$5–10/month. Compare that to Ghost Pro at $9–50/month or Micro.blog at $5–10/month for hosted equivalents.
• Key strength: Genuinely lightweight — under 15MB RAM footprint, under 50MB image size, SQLite as the only database. Single-command Docker deploy that actually works [1].
• Key weakness: Primary documentation is in Chinese, which creates a real barrier for non-Chinese-speaking users [2][5]. Also carries an unpatched-until-recently SSRF vulnerability that exposed internal network access via the link preview endpoint [3].

---

What is Ech0

Ech0 is a self-hosted microblog — not a note-taking app, not a wiki, not a team knowledge base. The README is explicit about this: “Tools like Memos are great for capturing quick thoughts. Ech0 is built for what comes next: publishing those ideas to a personal timeline that others can follow and interact with.” [README]

The core use case is a public or semi-public timeline on your own domain. You write short posts, links, and notes. Visitors can read them, leave comments through the built-in comment system, and subscribe via RSS. If you run multiple instances, the Hub feature can aggregate them into a unified feed. The website also lists ActivityPub federation support — meaning posts can theoretically federate with Mastodon and Misskey — though this feature isn’t prominently documented in the English README [1][website keywords].

What keeps Ech0 interesting in a crowded space is the technical footprint: SQLite as the sole storage backend, a single Docker container, and resource usage that makes it viable on an old Raspberry Pi or the cheapest ARM VPS you can find [1][README]. The project has 1,903 GitHub stars as of this writing, listed on awesome-selfhosted under Blogging Platforms / Content Management Systems [2].

---

Why People Choose It

The VentureGaps comparison page [5] surfaces two explicit reasons people look for alternatives: documentation primarily in Chinese, and the general friction that creates for non-Chinese users. Flip that around and you have the profile of who stays: developers or technically comfortable founders who don’t mind reading Chinese docs, or who want something so simple it barely needs documentation.

Community quotes from the official website repeat the same themes: clean interface, smooth deployment, appropriate scope. “Fast to start, fluid to use, great for personal publishing.” “Deployment is smooth, and the system design is surprisingly complete.” These read like genuine microblogger impressions rather than enterprise evaluations — which is accurate to what Ech0 is.

The Zeabur deploy guide [1] makes the pitch more concrete: under 15MB memory consumption, zero-configuration startup, no external database process to manage, one-click export for backups. For a personal publishing tool, those are exactly the right constraints.

What sets it apart from Memos (its most obvious comparison point) is the publishing-first orientation: native comments, likes, sharing, RSS output, and optional multi-user roles. Memos is a private capture tool. Ech0 is a public timeline with social hooks. That’s a meaningful distinction if what you want is a personal space others can follow without handing data to Twitter or Substack.

---

Features

Based on the README, official documentation, and the Zeabur deployment guide [1]:

Core publishing:

• Markdown editor powered by markdown-it with Vditor, including real-time preview [README]
• Auto-draft save every 600ms; 24-hour recovery window [docs]
• Zen timeline reading mode with minimal distraction [README]
• Tag management with fast filtering and search [1][README]
• Rich media cards for links, GitHub repos, music, and video [README]
• Native Bilibili and YouTube video parsing [1][README]
• Zone feature: a thermal-print-style draggable card view (a creative UI experiment) [docs]

Social and interaction:

• Built-in comment system with guest and authenticated comments, moderation queue, and spam controls — no third-party plugin required [website][README]
• Likes and sharing on posts [1][README]
• RSS output for all content [1][README]
• Hub: aggregates content from multiple Ech0 instances into a unified federated view [docs]
• ActivityPub support listed — theoretically federates with Mastodon and Misskey [1][website]

Auth and security:

• OAuth2 / OIDC for third-party login [1][README]
• Passkey (passwordless biometric / hardware key) login [1][README]
• API access tokens with revocation [1][README]
• Multi-account roles and permissions [README]

Storage and data:

• SQLite backend — single file, no separate database process [1]
• VireFS abstraction layer supporting local storage and S3-compatible object storage [docs][README]
• Snapshot export and migration import for backup and portability [1][README]
• Automatic background backup, plus Web, CLI, and TUI export modes [1]

Developer and ops:

• REST API and Webhooks [README]
• CLI and TUI tools for management without a browser [1][README]
• WebSocket-based real-time system monitoring dashboard [1]
• Structured logs and a live console [README]
• Docker, Docker Compose, Helm / Kubernetes deployment [1][README]
• PWA support — installable as a near-native web app [1]
• AI model configuration for quick LLM integration [1]

---

Pricing: Self-Hosted vs. Hosted Alternatives

Ech0 has no SaaS tier. It’s free software under AGPL-3.0. Your cost is the server.

Self-hosted Ech0:

• Software: $0
• VPS (Hetzner, Contabo, DigitalOcean): $4–10/month
• SQLite means no managed database costs
• Total: ~$5–10/month ongoing

What you’d pay for hosted equivalents:

• Ghost Pro: $9/month (Starter, custom domain + basic features), $25/month (Creator), $50/month (Team)
• Micro.blog: $5/month (basic timeline), $10/month (podcast + cross-posting)
• Substack: free, but they take 10% of paid subscription revenue
• Twitter/X Blue: $8/month for a blue check and longer posts, with zero data ownership
• Mastodon managed hosting (e.g., masto.host): $3–10/month depending on user count

The self-hosted math is clear: if you’re already comfortable with Docker and a VPS, Ech0 costs whatever your VPS costs. Over a year versus Ghost Creator, that’s roughly $216 saved — not life-changing, but more importantly, you own everything.

One caveat: Ech0 doesn’t offer a managed cloud tier itself. You’re fully responsible for uptime, updates, and backups. The built-in export tools help, but there’s no fallback if your VPS goes down.

---

Deployment Reality Check

The one-liner from the README actually works:

docker run -d \
  --name ech0 \
  -p 6277:6277 \
  -v /opt/ech0/data:/app/data \
  -e JWT_SECRET="Hello Echos" \
  sn0wl1n/ech0:latest

Open port 6277, register, and the first account becomes admin. That’s the honest install path — and for a Linux VPS with Docker already installed, it’s genuinely that simple [README][1].

What you actually need:

• A Linux VPS (ARM-compatible, including Raspberry Pi) [1]
• Docker installed
• A reverse proxy for HTTPS (Caddy or nginx) if you want a real domain
• Nothing else — no PostgreSQL, no Redis, no external services

What can go sideways:

First, the language barrier. The official documentation lives at the ech0.app domain and is written in Chinese. The README has English content, but deeper configuration details are in Chinese [2][5]. If you hit an edge case, you’re reading machine-translated docs or asking in a Chinese-language community.

Second, and more serious: CVE-2026-35036, published April 10, 2026 [3]. This is a Server-Side Request Forgery (SSRF) vulnerability in the link preview endpoint (GET /api/website/title). The endpoint is unauthenticated, accepts attacker-controlled URLs, and makes outbound HTTP requests without validation — including to internal Docker network addresses, cloud metadata endpoints like http://169.254.169.254/, and localhost services. The implementation also disables TLS certificate verification entirely with InsecureSkipVerify: true [3].

This is a meaningful vulnerability for anyone running Ech0 on a cloud VPS or alongside other containers. An attacker with network access to your instance can use it to probe your internal network. The fix is in version 4.2.8 — make sure you’re on that version or newer [3]. If you’re running anything older and your instance is publicly accessible, update before anything else.

Third: ActivityPub federation is advertised prominently but the practical state of Mastodon/Misskey interoperability isn’t documented in English, so treat it as experimental until you test it yourself.

Realistic time to a working instance for a technical user: 20–40 minutes. For someone new to Linux servers following a guide: 2–4 hours including domain, reverse proxy, and HTTPS.

---

Pros and Cons

Pros

• Genuinely lightweight. Under 15MB RAM, under 50MB image, SQLite only. Runs on a $4 ARM VPS or a Raspberry Pi sitting on your desk [1][README]. This isn’t marketing — it’s the actual design constraint.
• Single-command deploy. Not “single-command if everything is already configured” — actually one docker run command to a working instance [1][README].
• No external dependencies. SQLite means no database process to manage, back up separately, or pay for. Everything is one file [1].
• Built-in backup and export. Snapshot export via web, CLI, and TUI. Automatic background backup. You can migrate or archive without scripts [1][docs].
• Native comments and social features. Comments, likes, and sharing without Disqus or any third-party service. Your readers’ interactions stay in your database [README][website].
• S3 storage support for scaling media storage beyond local disk [docs][README].
• ActivityPub + Hub federation. Optional integration with Mastodon/Misskey ecosystem and multi-instance aggregation [1].
• Passkey login. Biometric or hardware key login is a security upgrade most tools at this scale don’t bother with [1][README].
• Free, AGPL-3.0. No per-seat pricing, no feature gating, no paid tier hiding core functionality.

Cons

• Documentation primarily in Chinese [2][5]. This is the single biggest practical barrier for adoption outside China. If something breaks, you’re translating documentation.
• CVE-2026-35036 SSRF vulnerability in versions before 4.2.8 [3]. Unauthenticated endpoint that lets anyone probe your internal network via the link preview feature. Patched, but an indicator that security review is not deep yet in a young project.
• 1,903 GitHub stars — small project by self-hosted standards [2]. No commercial backer, no YC funding, no enterprise customer base. If the solo maintainer loses interest, the project stalls.
• ActivityPub federation is underspecified. Listed as a feature in marketing and the Zeabur guide [1], but English documentation on how to actually configure Mastodon federation is thin.
• AGPL-3.0 license. Stricter than MIT — if you embed Ech0 in a commercial product or SaaS, you must open-source your code. For a personal publishing tool this rarely matters, but worth knowing.
• No hosted tier. You’re fully responsible for uptime and updates. There’s no “upgrade to managed” escape hatch if self-hosting becomes a burden.
• Young project. The feature list is ambitious — Hub federation, ActivityPub, Passkey, AI agent setup, thermal print cards, TUI, WebSocket monitoring. Many of these features in a 1,903-star project likely means some are rougher than the README suggests.

---

Who Should Use This / Who Shouldn’t

Use Ech0 if:

• You want a personal public timeline on your own domain with clean, minimal overhead.
• You’re paying for Ghost, Micro.blog, or Substack and want to stop.
• You’re comfortable with Docker and don’t mind Chinese-language documentation when things get deep.
• Your server is a cheap ARM VPS or a Raspberry Pi and you need something that actually fits.
• You want comments and RSS without bolting on third-party services.

Skip it (use Memos instead) if:

• You want a private capture tool, not a public-facing timeline. Memos is built for private note capture; Ech0 is built for publishing.

Skip it (use WriteFreely or Ghost instead) if:

• You need English-language documentation and active English-speaking community support.
• You’re writing long-form content that needs proper typography, email newsletters, or paid subscriptions.

Skip it (use Mastodon or Misskey instead) if:

• You want full ActivityPub federation with a proven track record and a large English-language self-hosting community.
• Multi-user social networking is your goal, not personal publishing.

Skip it (stay on Ghost Pro or Micro.blog) if:

• You’re not comfortable with Linux servers and don’t want to become comfortable.
• Uptime and updates aren’t something you want to think about.

---

Alternatives Worth Considering

• Memos — the closest comparison. Also self-hosted, also lightweight, also SQLite. Built for private capture and quick notes rather than public timelines. Larger community, more English documentation. Pick Memos if publishing is secondary; pick Ech0 if publishing is primary.
• WriteFreely — open-source (AGPL-3.0), focused on long-form writing, native ActivityPub federation with a proven track record. More mature federation story, but no media cards, no comments, no social features. Better for essays than microblogs.
• Ghost — the professional choice for individual creators who want newsletters, paid memberships, and polish. Commercial product with a self-hosted option; far more feature-complete and English-documented. Costs more, requires more resources (Node.js, MySQL).
• Micro.blog — managed hosted service built around microblogging with ActivityPub. $5–10/month, no server to manage, strong IndieWeb community. If you want the Ech0 use case without the server work, Micro.blog is the answer.
• Mastodon (single-user) — full ActivityPub from day one, proven federation, massive ecosystem. But it’s a full Rails app — PostgreSQL, Redis, Sidekiq, Elasticsearch. Overkill resource-wise for a single person, and more complex to operate.
• Misskey/Calckey/Firefish — similar to Mastodon but from the Japanese open-source ecosystem. ActivityPub, more features, similar operational complexity.

For the target audience — an individual creator who wants a personal timeline on their own infrastructure with minimal footprint — the realistic shortlist is Ech0 vs Memos vs WriteFreely. Ech0 if you want public posting with comments and social hooks. Memos if you want private capture. WriteFreely if you want long-form publishing with proven federation.

---

Bottom Line

Ech0 is a technically well-designed tool for a specific, narrow use case: personal microblogging on your own server, with a footprint small enough to run on hardware you probably already have. The SQLite-only architecture, single-command deploy, and sub-15MB RAM usage are genuine advantages, not marketing claims. For a non-technical founder paying Ghost Pro $25–50/month to publish short-form content, the self-hosted math is obvious.

The catches are real: documentation in Chinese is a genuine barrier, the recent SSRF vulnerability (patched in 4.2.8, but a signal of the project’s security maturity) deserves attention before you expose the instance publicly, and the project is small enough that long-term maintenance is uncertain. If those risks are acceptable — and for a personal publishing tool, they often are — Ech0 delivers what it promises. If you’d rather not own the operational risk, Micro.blog gives you the same publishing model without the server.

---

Sources

1. Zeabur — “Ech0 Deploy Template”. https://zeabur.com/templates/7BUFIG
2. awesome-selfhosted — “K8S platform listing — Ech0 entry”. https://awesome-selfhosted.net/platforms/k8s.html
3. SentinelOne Vulnerability Database — “CVE-2026-35036: Ech0 Publishing Platform SSRF Vulnerability” (published April 10, 2026). https://www.sentinelone.com/vulnerability-database/cve-2026-35036/
4. VentureGaps — “Best Ech0 Alternatives in 2026”. https://www.venturegaps.com/alternatives/ech0

Primary sources:

• GitHub repository and README: https://github.com/lin-snow/ech0 (1,903 stars, AGPL-3.0)
• Official website: https://www.ech0.app/
• Official documentation: https://www.ech0.app/docs/
• Live demo: https://memo.vaaat.com/