{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30840", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-07T05:39:40.854Z", "dateUpdated": "2026-03-09T20:24:17.322Z"}, "containers": {"cna": {"title": "Wallos: Server-Side Request Forgery (SSRF) in Notification Testers", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-mr2c-prqv-hqm8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mr2c-prqv-hqm8"}, {"name": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d"}, {"name": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2"}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"version": "< 4.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:39:40.854Z"}, "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2."}], "source": {"advisory": "GHSA-mr2c-prqv-hqm8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30840", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:16:53.418478Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:24:17.322Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30840", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:16:53.418478Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:18:49.414Z"}}], "cna": {"title": "Wallos: Server-Side Request Forgery (SSRF) in Notification Testers", "source": {"advisory": "GHSA-mr2c-prqv-hqm8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"status": "affected", "version": "< 4.6.2"}]}], "references": [{"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mr2c-prqv-hqm8", "name": "https://github.com/ellite/Wallos/security/advisories/GHSA-mr2c-prqv-hqm8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "name": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "name": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:39:40.854Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30840", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:24:17.322Z", "dateReserved": "2026-03-05T21:06:44.606Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T05:39:40.854Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "matchCriteriaId": "0369A77F-C023-4EE5-873B-7466F873A8A9", "versionEndExcluding": "4.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.6.2, existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor en los probadores de notificaciones. Este problema ha sido parcheado en la versi\u00f3n 4.6.2."}], "id": "CVE-2026-30840", "lastModified": "2026-03-11T18:32:29.380", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T06:16:11.463", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mr2c-prqv-hqm8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Wallos", "source": "cna", "vendor": "ellite"}, "product": "wallos", "vendor": "ellite"}], "analysis": {"en": {"generated_at": "2026-04-16T11:01:05.889611+00:00", "value": {"mitigation_remediation": ["Upgrade Wallos to version 4.6.2 or later to eliminate the SSRF flaw.", "Restrict outbound network access from the Wallos instance, blocking requests to internal or sensitive endpoints.", "If upgrading is not immediately possible, disable or remove the notification tester feature to prevent exploitation."], "summary": {"action": "Apply Patch", "impact": "Server-Side Request Forgery"}, "threat_synthesis": {"affected_systems": "All users running ellite's Wallos before version 4.6.2 are affected. The vulnerability applies to the open\u2011source Wallos application, all platforms supported by the product, and affects any installation where the notification tester endpoint is reachable. Users on later releases, notably 4.6.2 and newer, have received the fix.", "description_and_impact": "Wallos, an open\u2011source personal subscription tracker, has a server\u2011side request forgery flaw in its notification testing feature. An unauthenticated or authenticated attacker who can trigger the tester can make the server send HTTP requests to arbitrary URLs, potentially accessing internal resources, leaking data, or pivoting to other systems. The weakness corresponds to CWE\u2011918 and CWE\u2011295, indicating path traversal and insecure communication protocols.", "risk_and_exploitability": "CVSS score 8.8 points to high impact; however, EPSS suggests the probability of real\u2011world exploitation is very low (<1%), and the vulnerability has not been listed in CISA's KEV catalog. The likely attack vector is remote, driven by sending crafted requests to the notification tester API. No authentication is required to trigger the flaw, meaning any tip\u2011to\u2011tap can serve as an initial foothold. The impact includes unauthorized data access, credential theft, or as a pivot for further lateral movement."}}}}, "created": "2026-03-09T10:05:51.093297+00:00", "updated": "2026-04-16T11:15:27.669987+00:00", "vendors": ["ellite", "ellite$PRODUCT$wallos"]}