SSRF in Ellite Wallos

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.1th percentile) — read the EPSS interpretation.

Affected products

Ellite Wallos — versions < 4.7.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/ellite/Wallos/security/advisories/GHSA-r82v-p8cg-rgx3 (x_refsource_CONFIRM)
https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef (x_refsource_MISC)
https://github.com/ellite/Wallos/commit/e8a513591 (x_refsource_MISC)