CVE-2026-33399

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40	Patch
https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 18:16

Updated : 2026-03-26 20:40

NVD link : CVE-2026-33399

Mitre link : CVE-2026-33399

CVE.ORG link : CVE-2026-33399

JSON object : View

Products Affected

wallosapp

wallos

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-33399", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-24T18:16:11.153", "references": [{"url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.7.0, la correcci\u00f3n de SSRF aplicada en la versi\u00f3n 4.6.2 para CVE-2026-30839 y CVE-2026-30840 est\u00e1 incompleta. La protecci\u00f3n validate_webhook_url_for_ssrf() se a\u00f1adi\u00f3 a los puntos finales de notificaci\u00f3n test* pero no a los puntos finales de guardado save* correspondientes. Un usuario autenticado puede guardar una direcci\u00f3n IP interna/privada como URL de notificaci\u00f3n, y cuando se ejecuta el trabajo cron sendnotifications.php, la solicitud se env\u00eda a la direcci\u00f3n IP interna sin ninguna validaci\u00f3n de SSRF. Este problema ha sido parcheado en la versi\u00f3n 4.7.0."}], "lastModified": "2026-03-26T20:40:28.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7376DD5F-C93E-4454-810B-DE04B2DE7032", "versionEndExcluding": "4.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}