Ellite Wallos vulnerabilities
12 known vulnerabilities affecting ellite/wallos.
Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2026-33407P3CRITICALCVSS 9.1fixed in 4.7.02026-03-24
CVE-2026-33407 [CRITICAL] CWE-918 CVE-2026-33407: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallo
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to tr
nvd
CVE-2026-30840P3HIGHCVSS 8.8fixed in 4.7.02026-03-07
CVE-2026-30840 [HIGH] CWE-295 CVE-2026-30840: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
nvd
CVE-2026-27479P3HIGHCVSS 7.7fixed in 4.6.12026-02-21
CVE-2026-27479 [HIGH] CWE-918 CVE-2026-27479: Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below cont
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCAT
nvd
CVE-2026-33399P3HIGHCVSS 7.7≤ 4.8.42026-03-24
CVE-2026-33399 [HIGH] CWE-918 CVE-2026-33399: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the S
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can sa
nvd
CVE-2026-30828P3HIGHCVSS 7.5fixed in 4.6.22026-03-07
CVE-2026-30828 [HIGH] CWE-22 CVE-2026-30828: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the u
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
nvd
CVE-2026-33417P3HIGHCVSS 7.1fixed in 4.7.22026-03-24
CVE-2026-33417 [HIGH] CWE-613 CVE-2026-33417: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, passw
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who inter
nvd
CVE-2026-41689P3MEDIUMCVSS 6.0≤ 4.8.42026-05-07
CVE-2026-41689 [MEDIUM] CWE-863 CVE-2026-41689: Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior,
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted interna
nvd
CVE-2026-30841P4MEDIUMCVSS 6.1fixed in 4.6.22026-03-07
CVE-2026-30841 [MEDIUM] CWE-79 CVE-2026-30841: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passw
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using and without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.
nvd
CVE-2026-33400P4MEDIUMCVSS 5.4fixed in 4.7.02026-03-24
CVE-2026-33400 [MEDIUM] CWE-79 CVE-2026-33400: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a sto
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallo
nvd
CVE-2026-30839P4MEDIUMCVSS 4.3fixed in 4.7.02026-03-07
CVE-2026-30839 [MEDIUM] CWE-918 CVE-2026-30839: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testw
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.
nvd
CVE-2026-30842P4MEDIUMCVSS 4.3fixed in 4.6.22026-03-07
CVE-2026-30842 [MEDIUM] CWE-862 CVE-2026-30842: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallo
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another us
nvd
CVE-2026-41687P4MEDIUMCVSS 4.3fixed in 4.8.12026-05-07
CVE-2026-41687 [MEDIUM] CWE-918 CVE-2026-41687: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the S
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598)
nvd