2 matches found
CVE-2026-41689 Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use...
CVE-2026-41689
CVE-2026-41689 affects Wallos up to version 4.8.4. The webhook notification feature reuses an administrator-configured local-target allowlist for all logged-in users, allowing any normal user to fully control a webhook URL, headers, and body, then send server-side requests to allowlisted internal...