Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.
Published: 2026-03-24
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

Wallos, an open‑source subscription tracker, permits attackers to set the HTTP_PROXY and HTTPS_PROXY environment variables for the search.php endpoint. Because the application performs DNS resolution on user‑supplied search terms without validating these variables, an attacker can trigger arbitrary outbound requests to internal or external hosts. This grants server‑side request forgery, enabling network probing, data exfiltration or potentially remote code execution against vulnerable services. The flaw corresponds to CWE‑918 (Server Side Request Forgery) and CWE‑922 (Insecure Direct Object References).

Affected Systems

All releases of Wallos distributed by ellite before version 4.7.0 are affected. Users of these versions must upgrade to the patched release that sanitizes HTTP_PROXY and HTTPS_PROXY input.

Risk and Exploitability

The CVSS score of 8.3 designates this vulnerability as high severity, yet the EPSS indicates a very low probability of exploitation (<1%). It is not listed in the CISA KEV catalog, suggesting no widespread active exploitation. The attack requires only a crafted HTTP request to the vulnerable endpoint and does not need local or privileged access, making it a notable risk for exposed deployments.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.7.0 or newer to apply the fix that validates HTTP_PROXY and HTTPS_PROXY environment variables.
  • After upgrading, verify that the application no longer accepts these environment variables without validation.
  • Continuously monitor outbound traffic from the Wallos instance for unexpected requests and consider restricting DNS or HTTP access to trusted domains.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.
Title Wallos: SSRF via HTTP Proxy Environment Variable
Weaknesses CWE-918
CWE-922
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:13.544Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33407

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:30.981Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:11.627

Modified: 2026-03-26T20:54:06.227

Link: CVE-2026-33407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:52Z

Weaknesses