VYPR
Vendor

Ellite

Products
1
CVEs
19
Across products
19
Status
Private

Products

1

Recent CVEs

19
  • CVE-2025-60535HigOct 14, 2025
    risk 0.47cvss 7.3epss 0.00

    A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.

  • CVE-2026-41688HigMay 7, 2026
    risk 0.43cvss 7.7epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP…

  • CVE-2026-41689MedMay 7, 2026
    risk 0.39cvss 6.0epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and…

  • CVE-2026-41687MedMay 7, 2026
    risk 0.21cvss 4.3epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE |…

  • CVE-2026-33417Mar 24, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token…

  • CVE-2026-33401Mar 24, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host…

  • CVE-2026-33400Mar 24, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits…

  • CVE-2026-33399Mar 24, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints…

  • CVE-2026-33407Mar 24, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on…

  • CVE-2026-30842Mar 7, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user.…

  • CVE-2026-30841Mar 7, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This…

  • CVE-2026-30840Mar 7, 2026
    risk 0.00cvss epss 0.01

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.

  • CVE-2026-30839Mar 7, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has…

  • CVE-2026-30828Mar 7, 2026
    risk 0.00cvss epss 0.01

    Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.

  • CVE-2026-27479Feb 21, 2026
    risk 0.00cvss epss 0.00

    Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL…

  • CVE-2024-55371Apr 16, 2025
    risk 0.00cvss epss 0.00

    Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authenticated attacker (being an…

  • CVE-2024-55372Apr 16, 2025
    risk 0.00cvss epss 0.01

    Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unauthenticated attacker to…

  • CVE-2024-29320Apr 30, 2024
    risk 0.00cvss epss 0.01

    Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php.

  • CVE-2024-22776Feb 23, 2024
    risk 0.00cvss epss 0.00

    Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper validation, excluding those requiring specific formats like date fields.