EUVD-2026-28384

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname but passes the original hostname to cURL without CURLOPTRESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS...

PT-2026-38444

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php line 42 and endpoints/payments/add.php line 40 uses an inline IP validation check FILTER FLAG NO PRIV RANGE | FILTER FLAG NO RES RANGE that does not...

CVE-2026-33407

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTPPROXY and HTTPSPROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search...

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

EUVD-2026-14947

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

CVE-2026-30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

EUVD-2026-10122

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

EUVD-2026-10116

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2...

PT-2026-23827

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.6.2 had code vulnerabilities, as the url parameters could be used to access local system files...

Wallos 跨站脚本漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.6.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the fact that the $GET parameter was directly output as an HTML input value attribute without being...

PT-2026-23823

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.6.2 Description Wallos is a self-hostable personal subscription tracker. Versions prior to 4.6.2 contain an issue where the url parameter can be exploited to retrieve local system files. Recommendations Update to...

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.6.2 had code-related vulnerabilities, which stemmed from server-side request forgeing in the notification tester...

PT-2026-21371

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

Wallos 安全漏洞

Wallos is an open source personal subscription tracker by the individual developer Miguel Ribeiro. A security vulnerability exists in Wallos 2.38.2 and earlier versions, which stems from a recovery database feature that allows unauthenticated users to upload malicious files, potentially leading t...

Wallos SQL注入漏洞

Wallos is an open source personal subscription tracker by the individual developer Miguel Ribeiro. A SQL injection vulnerability exists in Wallos versions prior to 1.15.3, which originates from an easy SQL injection via the category and payment parameters of /subscriptions/get.php...