What is the CVSS score of EUVD-2026-28384?

EUVD-2026-28384 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Wallos are affected by EUVD-2026-28384?

Wallos subscription tracker versions 4.8.4 and prior contain a DNS rebinding vulnerability that allows authenticated users to bypass server-side request forgery (SSRF) protections and access internal…

How to fix or mitigate EUVD-2026-28384?

Within 24 hours: Inventory all Wallos deployments and confirm versions currently in use; restrict Wallos network access to trusted internal networks only via firewall rules. Within 7 days: Monitor Wallos logs for suspicious webhook URL submissions or failed SSRF attempts; evaluate interim containment such as disabling webhook functionality if operationally feasible. Within 30 days: Contact Wallos maintainers to confirm availability of patched release incorporating upstream commit e87387f0; deploy patched version (4.8.5 or later once released and verified) or migrate to alternative subscription management solution if patch timeline is unacceptable.

Wallos EUVD-2026-28384

| CVE-2026-41688 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-07 GitHub_M

SSRF Wallos

7.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.7 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 07, 2026 - 15:00 vuln.today

Analysis Generated

May 07, 2026 - 15:00 vuln.today

CVE Published

May 07, 2026 - 13:52 nvd

HIGH 7.7

DescriptionGitHub Advisory

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.

AnalysisAI

DNS rebinding bypass in Wallos subscription tracker allows authenticated users to exfiltrate internal network data via SSRF on 10 of 11 HTTP endpoints. Wallos 4.8.4 and prior validate webhook URLs with gethostbyname() but fail to pin DNS resolution in cURL requests, creating a time-of-check-time-of-use race window. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Wallos

Delivery

Configure malicious webhook URL with rebinding domain

Exploit

Trigger DNS validation (returns safe IP)

Execution

Wait for cURL execution (DNS returns internal IP)

Persist

Exfiltrate cloud metadata/internal service data

Impact

Pivot with stolen credentials

Access

Authenticate to Wallos

Delivery

Configure malicious webhook URL with rebinding domain

Exploit

Trigger DNS validation (returns safe IP)

Execution

Wait for cURL execution (DNS returns internal IP)

Persist

Exfiltrate cloud metadata/internal service data

Impact

Pivot with stolen credentials

Vulnerability AssessmentAI

Exploitation	Requires authenticated access to Wallos with permissions to configure webhooks or AI integration URLs (Discord notifications, Ollama host settings). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.7 (High) with network vector, low complexity, and Changed scope accurately reflects real-world risk for self-hosted deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Authenticated attacker with low-privilege Wallos account configures a malicious webhook URL (e.g., Discord notification or AI/Ollama host) pointing to attacker-controlled DNS domain rebind.attacker.com. Attacker's DNS server returns 1.2.3.4 (safe external IP) during Wallos's gethostbyname() validation check. …
Remediation	No vendor-released patch identified at time of analysis - CVE description explicitly states no publicly available patches exist. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Wallos deployments and confirm versions currently in use; restrict Wallos network access to trusted internal networks only via firewall rules. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-28384 vulnerability details – vuln.today

Back

Wallos EUVD-2026-28384

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code