Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
Published: 2026-03-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

Wallos, an open‑source personal subscription tracker, has a server‑side request forgery flaw in its notification testing feature. An unauthenticated or authenticated attacker who can trigger the tester can make the server send HTTP requests to arbitrary URLs, potentially accessing internal resources, leaking data, or pivoting to other systems. The weakness corresponds to CWE‑918 and CWE‑295, indicating path traversal and insecure communication protocols.

Affected Systems

All users running ellite's Wallos before version 4.6.2 are affected. The vulnerability applies to the open‑source Wallos application, all platforms supported by the product, and affects any installation where the notification tester endpoint is reachable. Users on later releases, notably 4.6.2 and newer, have received the fix.

Risk and Exploitability

CVSS score 8.8 points to high impact; however, EPSS suggests the probability of real‑world exploitation is very low (<1%), and the vulnerability has not been listed in CISA's KEV catalog. The likely attack vector is remote, driven by sending crafted requests to the notification tester API. No authentication is required to trigger the flaw, meaning any tip‑to‑tap can serve as an initial foothold. The impact includes unauthorized data access, credential theft, or as a pivot for further lateral movement.

Generated by OpenCVE AI on April 16, 2026 at 11:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.6.2 or later to eliminate the SSRF flaw.
  • Restrict outbound network access from the Wallos instance, blocking requests to internal or sensitive endpoints.
  • If upgrading is not immediately possible, disable or remove the notification tester feature to prevent exploitation.

Generated by OpenCVE AI on April 16, 2026 at 11:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
Title Wallos: Server-Side Request Forgery (SSRF) in Notification Testers
Weaknesses CWE-295
CWE-918
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:24:17.322Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30840

cve-icon Vulnrichment

Updated: 2026-03-09T20:18:49.414Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:11.463

Modified: 2026-03-11T18:32:29.380

Link: CVE-2026-30840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses