CVE-2026-33399

Published: Mar 24, 2026 Last Modified: Mar 24, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.

918

Server-Side Request Forgery (SSRF)

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control

Potential Impacts:

Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism

Applicable Platforms

Technologies: AI/ML, Web Based, Web Server

View CWE Details

https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e…

https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ece…

https://github.com/ellite/Wallos/security/advisories/GHSA-m…

https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j

CVE-2026-33399

Description

Server-Side Request Forgery (SSRF)

Common Consequences

Applicable Platforms

Iscriviti alla newsletter