Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.
AnalysisAI
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
Technical ContextAI
This vulnerability is classified under CWE-918 (Server-Side Request Forgery), which occurs when an application fetches remote resources without proper validation of user-supplied URLs. The Wallos application (identified via CPE cpe:2.3:a:ellite:wallos) processes user input for external service parameters without enforcing allowlist restrictions or network isolation. The vulnerability spans three distinct code paths: the AI Ollama integration (which accepts arbitrary host URLs), the AI recommendations feature (which may construct requests to external endpoints), and background cron jobs handling notifications (which execute scheduled network requests). The incomplete patch history (commit e8a513591 addressed notification test endpoints but overlooked these three related surfaces) indicates a broader architectural gap in input validation across the application's integration layers.
RemediationAI
Upgrade Wallos immediately to version 4.7.0 or later, which includes patches addressing all three attack surfaces (AI Ollama host parameter, AI recommendations endpoint, and notification cron job). The patch commits are available at https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef and related references in the official repository. For environments unable to patch immediately, implement network-level mitigations by restricting outbound connections from the Wallos service to only approved external endpoints using host-based firewalls or network segmentation; disable the AI features and notification functionality if not in use; and audit recent authentication logs for suspicious endpoint requests targeting internal IP ranges (10.0.0.0/8, 169.254.169.254, or localhost). Additionally, rotate any credentials or tokens that may have been exposed through metadata endpoints if compromise is suspected.
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path,
Denial of service in Ollama's multi-modal image processing (versions 0.11.5-rc0 through 0.13.5) lets remote attackers cr
An issue was discovered in Ollama before 0.1.46. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita
A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function rea
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
A divide by zero vulnerability exists in ollama/ollama version v0.3.3. Rated high severity (CVSS 7.5), this vulnerabilit
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that,
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be u
An issue was discovered in Ollama before 0.1.46. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
An issue was discovered in Ollama before 0.1.34. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14947