Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
Published: 2026-03-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in Wallos arises from the handling of the url parameter, which permits a client to specify a path that can traverse the local filesystem. This flaw enables logical path traversal and Server Side Request Forgery, allowing an attacker to obtain arbitrary files on the host, potentially including sensitive configuration or credentials. The primary impact is the disclosure of local files, compromising confidentiality.

Affected Systems

All releases of the open‑source Wallos personal subscription tracker from ellite prior to version 4.6.2 are affected; the problem was fixed in the 4.6.2 release.

Risk and Exploitability

The CVSS score of 8.7 conveys a high severity assessment, yet the EPSS value of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is a crafted HTTP request to the vulnerable endpoint that supplies a malicious url parameter referencing relative or absolute paths. Because this flaw is remotely exploitable and can disclose local files, it should be treated as a high‑risk information disclosure vector.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.6.2 or later, which removes the vulnerable url processing logic.
  • If an upgrade is not immediately possible, restrict access to the /url endpoint so that only trusted internal users can use it, or remove the url parameter entirely.
  • Apply file system level controls or web server configuration changes to block read access to sensitive files from the application context.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
Title Wallos: SSRF via url parameter leading to File Traversal
Weaknesses CWE-22
CWE-29
CWE-918
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:24:17.028Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30828

cve-icon Vulnrichment

Updated: 2026-03-09T20:18:45.008Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:10.720

Modified: 2026-03-11T18:59:07.240

Link: CVE-2026-30828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses