Description
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.
Published: 2026-02-21
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in the logo and icon upload functionality of Wallos. The application validates that a requested URL does not resolve to a private or reserved IP address, yet the subsequent cURL call follows HTTP redirects without re‑applying this validation. An attacker can supply a URL that redirects to an internal resource, allowing the server to make requests to internal services such as cloud instance metadata endpoints and potentially exfiltrate sensitive data or gain further foothold. The weakness is classified as CWE‑918. This flaw enables remote disclosure and manipulation of internal network resources, effectively elevating the potential impact from a simple denial of service to unauthorized internal data access.

Affected Systems

Wallos versions 4.6.0 and earlier are affected. The vulnerability was patched in release 4.6.1, so any deployment still using 4.6.0 or a prior version retains the risk.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score of <1% reflects a low exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, the flaw can be leveraged via any authenticated or unauthenticated user who can upload logos, making it a realistic threat in environments where external image uploads are permitted. Attackers could use the redirect bypass to reach internal endpoints, including metadata services, thereby potentially compromising credentials or other sensitive information. The primary attack vector is remote via the logo upload interface; no special privileges are required beyond access to the upload functionality.

Generated by OpenCVE AI on April 17, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.6.1 or later to eliminate the redirect bypass in logo/icon URL fetching.
  • If an immediate upgrade is not possible, disable the logo and icon upload feature or block outbound HTTP requests from the Wallos application to prevent internal resource access.
  • Configure the web server or network firewall to restrict Wallos’ outbound traffic to only approved trusted hosts, blocking access to cloud metadata services and other internal endpoints.

Generated by OpenCVE AI on April 17, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Sat, 21 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.
Title Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:24:31.376Z

Reserved: 2026-02-19T19:46:03.540Z

Link: CVE-2026-27479

cve-icon Vulnrichment

Updated: 2026-02-24T18:24:22.961Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T09:15:53.923

Modified: 2026-02-24T14:47:06.290

Link: CVE-2026-27479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses