{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30839", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-07T05:29:55.381Z", "dateUpdated": "2026-03-09T20:24:17.159Z"}, "containers": {"cna": {"title": "Wallos: SSRF via webhook test endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9"}, {"name": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d"}, {"name": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2"}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"version": "< 4.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:29:55.381Z"}, "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2."}], "source": {"advisory": "GHSA-x4qp-xm2c-vqg9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30839", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:17:31.328232Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:24:17.159Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30839", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:17:31.328232Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:18:47.345Z"}}], "cna": {"title": "Wallos: SSRF via webhook test endpoint", "source": {"advisory": "GHSA-x4qp-xm2c-vqg9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"status": "affected", "version": "< 4.6.2"}]}], "references": [{"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9", "name": "https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "name": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "name": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:29:55.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30839", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:24:17.159Z", "dateReserved": "2026-03-05T21:06:44.606Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T05:29:55.381Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "matchCriteriaId": "0369A77F-C023-4EE5-873B-7466F873A8A9", "versionEndExcluding": "4.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.6.2, testwebhooknotifications.php no valida la URL de destino frente a rangos de IP privados/reservados, lo que permite un SSRF de lectura completa. La respuesta del servidor se devuelve al llamador. Este problema ha sido parcheado en la versi\u00f3n 4.6.2."}], "id": "CVE-2026-30839", "lastModified": "2026-03-11T18:48:29.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T06:16:11.317", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Wallos", "source": "cna", "vendor": "ellite"}, "product": "wallos", "vendor": "ellite"}], "analysis": {"en": {"generated_at": "2026-04-16T11:01:15.882022+00:00", "value": {"mitigation_remediation": ["Upgrade the Wallos instance to version 4.6.2 or later to apply the upstream fix that validates target URLs and sanitizes responses.", "If an immediate upgrade is not feasible, restrict external access to the testwebhooknotifications.php endpoint, or block outbound requests to private and reserved IP ranges via firewall rules.", "Audit firewall and network segmentation settings to ensure that the Wallos server cannot reach sensitive internal services from external clients."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery (SSRF) that allows internal resource reading"}, "threat_synthesis": {"affected_systems": "All installations of Wallos produced by ellite that run a version older than 4.6.2 are affected. The product is a self\u2011hosted personal subscription tracker.", "description_and_impact": "Wallos, an open\u2011source subscription tracker, contains an endpoint that sends arbitrary URLs to remote servers without validating them against private or reserved IP ranges. Attackers can target internal network services and obtain the response, effectively reading sensitive data or exposing internal infrastructure. The vulnerability was fixed in version 4.6.2 by adding proper URL validation and response handling.", "risk_and_exploitability": "The CVSS base score of 5.3 classifies the issue as moderate severity. The EPSS score of less than 1% indicates low likelihood of current exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires access to the exposed webhook testing endpoint; an attacker can craft a malicious request to read internal resources. The impact is limited to the scope of the server hosting Wallos, but it could expose sensitive internal endpoints if the system is network\u2011connected to private infrastructure."}}}}, "created": "2026-03-09T10:05:51.990744+00:00", "updated": "2026-04-16T11:15:27.671434+00:00", "vendors": ["ellite", "ellite$PRODUCT$wallos"]}