CVE-2026-41688 - Vulnerability Details

- Incomplete fix for CVE-2026-33399: SSRF in Wallos

Description

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.

Published: 2026-05-07

Score: 7.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Wallos, an open‑source subscription tracker, is vulnerable to server side request forgery in versions 4.8.4 and earlier. The incomplete SSRF fix validates webhook URLs with gethostbyname but fails to pin the resolved hostname on cURL for most outbound HTTP calls, creating a DNS rebinding TOCTOU window. This flaw can allow an attacker to craft requests that cause the vulnerable instance to resolve an attacker‑controlled hostname and then use the original resolved IP to reach internal services. The consequence is that an attacker could access or manipulate internal resources, potentially leading to data exfiltration, privilege escalation, or further exploitation of internal hosts.

Affected Systems

The affected product is Wallos from ellite, running any release with version 4.8.4 or older. No further version details are provided. The vulnerability applies when the application calls outbound HTTP endpoints, such as webhook URLs, that are configured by users.

Risk and Exploitability

The CVSS base score of 7.7 classifies this as high severity. No EPSS score is available, so the exploitation likelihood cannot be quantified, but the presence of a TOCTOU window and lack of a public patch suggest that the risk is non‑negligible, especially for exposed installations. The vulnerability is not listed in the CISA KEV catalog. An attacker can launch the exploit by injecting a malicious webhook URL that resolves to an attacker‑controlled hostname, then triggering the remote call to the original IP address. The attack requires network access to the vulnerable instance and the ability to manipulate its webhook configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ellite

Wallos

affected

Version	Status	Constraints
`<= 4.8.4`	affected	—

No data.

Vendor Product Confidence Versions

Ellite

Wallos

100%

Version	Status	Scheme	Platform
`[0,4.8.4]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Wallos patch when it becomes available
Restrict outbound HTTP calls from Wallos by configuring a firewall or network ACL to only allow connections to known, trusted endpoints
Disable or remove any unused webhook features until a secure update is installed
Monitor HTTP traffic for unusual DNS resolution patterns or internal IP requests
Consider using a local DNS resolver that enforces hostname resolution consistently across all outbound connections

Generated by OpenCVE AI on May 7, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef
https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g

History

Thu, 07 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ellite Ellite wallos
Vendors & Products		Ellite Ellite wallos

Thu, 07 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.
Title		Incomplete fix for CVE-2026-33399: SSRF in Wallos
Weaknesses		CWE-918
References		https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Ellite Wallos

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T13:52:00.576Z

Updated: 2026-05-07T14:57:10.026Z

Reserved: 2026-04-22T03:53:24.407Z

Link: CVE-2026-41688

Vulnrichment

Updated: 2026-05-07T14:55:41.489Z

NVD

Status : Deferred

Published: 2026-05-07T15:16:09.253

Modified: 2026-05-07T15:45:05.947

Link: CVE-2026-41688

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T15:30:05Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object