EUVD-2026-28385Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.
AnalysisAI
Wallos versions 4.8.4 and prior allow authenticated users to bypass webhook URL restrictions and send server-side requests to administrator-allowlisted internal targets by reusing the global allowlist for individual user webhooks. This enables Server-Side Request Forgery (SSRF) to internal automation services that may expose deployment or execution APIs, potentially leading to remote code execution on downstream systems. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) authenticated access to Wallos (PR:L in CVSS vector) - attacker must have a valid user account, whether created through legitimate registration or by compromising an existing low-privilege account; (2) webhook notification feature must be enabled and configured by an administrator (non-default but likely in production instances using notifications); (3) administrator must have populated the webhook URL allowlist with at least one internal target address - if the allowlist is empty, no SSRF is possible; (4) allowlisted internal services must be network-reachable from the Wallos server (standard assumption in self-hosted scenarios). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents moderate real-world risk despite the 6.0 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege access to a Wallos instance (either a created account or compromised low-privilege user) navigates to the webhook configuration and creates a subscription notification that targets an internal CI/CD API allowlisted by the administrator, such as a GitLab Runner or Jenkins deployment endpoint. The attacker crafts webhook headers and body to mimic a legitimate deployment request, then triggers a subscription event to cause Wallos to send a forged server-side request to the internal service. … |
| Remediation | No vendor-released patch has been identified at the time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today