SSRF in Ellite Wallos

CVE-2026-30839

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response i…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (2.3th percentile) — read the EPSS interpretation.

Affected products

Ellite Wallos — versions < 4.6.2

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9 (x_refsource_CONFIRM)
https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d (x_refsource_MISC)
https://github.com/ellite/Wallos/releases/tag/v4.6.2 (x_refsource_MISC)