Unrated severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026
Wallos: SSRF via webhook test endpoint
CVE-2026-30839
Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060dmitrex_refsource_MISC
- github.com/ellite/Wallos/releases/tag/v4.6.2mitrex_refsource_MISC
- github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.