Wallos
CVE-2026-30840
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
AnalysisAI
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.
Technical ContextAI
Classified as CWE-295 (Improper Certificate Validation). Affects Wallos. Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 4.6.2.. Restrict network access to the affected service where possible.
Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to
Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to res
Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php. R
Wallos versions 4.6.0 and below allow authenticated attackers to perform Server-Side Request Forgery attacks through the
Path traversal in Wallos subscription tracker versions prior to 4.6.2 allows unauthenticated remote attackers to read ar
Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated
Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper validation, excludi
Wallos prior to version 4.6.2 contains an authorization bypass allowing authenticated users to delete avatar files belon
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification te
DNS rebinding bypass in Wallos subscription tracker allows authenticated users to exfiltrate internal network data via S
Wallos, an open-source self-hostable subscription tracker, contains an authentication bypass vulnerability in its passwo
Wallos versions 4.8.4 and prior allow authenticated users to bypass webhook URL restrictions and send server-side reques
Same weakness CWE-295 – Improper Certificate Validation
View allShare
External POC / Exploit Code
Leaving vuln.today