SSRF in Ellite Wallos

CVE-2026-33407

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (25.3th percentile) — read the EPSS interpretation.