Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.
Published: 2026-03-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) that allows internal resource reading
Action: Immediate Patch
AI Analysis

Impact

Wallos, an open‑source subscription tracker, contains an endpoint that sends arbitrary URLs to remote servers without validating them against private or reserved IP ranges. Attackers can target internal network services and obtain the response, effectively reading sensitive data or exposing internal infrastructure. The vulnerability was fixed in version 4.6.2 by adding proper URL validation and response handling.

Affected Systems

All installations of Wallos produced by ellite that run a version older than 4.6.2 are affected. The product is a self‑hosted personal subscription tracker.

Risk and Exploitability

The CVSS base score of 5.3 classifies the issue as moderate severity. The EPSS score of less than 1% indicates low likelihood of current exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires access to the exposed webhook testing endpoint; an attacker can craft a malicious request to read internal resources. The impact is limited to the scope of the server hosting Wallos, but it could expose sensitive internal endpoints if the system is network‑connected to private infrastructure.

Generated by OpenCVE AI on April 16, 2026 at 11:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wallos instance to version 4.6.2 or later to apply the upstream fix that validates target URLs and sanitizes responses.
  • If an immediate upgrade is not feasible, restrict external access to the testwebhooknotifications.php endpoint, or block outbound requests to private and reserved IP ranges via firewall rules.
  • Audit firewall and network segmentation settings to ensure that the Wallos server cannot reach sensitive internal services from external clients.

Generated by OpenCVE AI on April 16, 2026 at 11:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.
Title Wallos: SSRF via webhook test endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:24:17.159Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30839

cve-icon Vulnrichment

Updated: 2026-03-09T20:18:47.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:11.317

Modified: 2026-03-11T18:48:29.450

Link: CVE-2026-30839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses