{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33399", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-03-24T17:43:52.364Z", "dateUpdated": "2026-03-24T18:27:22.399Z"}, "containers": {"cna": {"title": "Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j"}, {"name": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40"}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"version": "< 4.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:43:52.364Z"}, "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0."}], "source": {"advisory": "GHSA-mfjc-3258-cq3j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:27:15.314169Z", "id": "CVE-2026-33399", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:27:22.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33399", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:27:15.314169Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:27:19.048Z"}}], "cna": {"title": "Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840", "source": {"advisory": "GHSA-mfjc-3258-cq3j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"status": "affected", "version": "< 4.7.0"}]}], "references": [{"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j", "name": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40", "name": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:43:52.364Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33399", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:27:22.399Z", "dateReserved": "2026-03-19T17:02:34.170Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T17:43:52.364Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "matchCriteriaId": "7376DD5F-C93E-4454-810B-DE04B2DE7032", "versionEndExcluding": "4.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.7.0, la correcci\u00f3n de SSRF aplicada en la versi\u00f3n 4.6.2 para CVE-2026-30839 y CVE-2026-30840 est\u00e1 incompleta. La protecci\u00f3n validate_webhook_url_for_ssrf() se a\u00f1adi\u00f3 a los puntos finales de notificaci\u00f3n test* pero no a los puntos finales de guardado save* correspondientes. Un usuario autenticado puede guardar una direcci\u00f3n IP interna/privada como URL de notificaci\u00f3n, y cuando se ejecuta el trabajo cron sendnotifications.php, la solicitud se env\u00eda a la direcci\u00f3n IP interna sin ninguna validaci\u00f3n de SSRF. Este problema ha sido parcheado en la versi\u00f3n 4.7.0."}], "id": "CVE-2026-33399", "lastModified": "2026-03-26T20:40:28.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T18:16:11.153", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Wallos", "source": "cna", "vendor": "ellite"}, "product": "wallos", "vendor": "ellite"}], "analysis": {"en": {"generated_at": "2026-03-26T21:33:51.874962+00:00", "value": {"mitigation_remediation": ["Apply the 4.7.0 patch or later to Wallos", "Verify that all webhook URLs are normalized and validated against internal IP ranges before storage", "If possible, disable or postpone the sendnotifications.php cron job until the patch is applied", "Restrict user permissions so that only trusted administrators can modify notification URLs"], "summary": {"action": "Patch immediately", "impact": "Internal network access via SSRF bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of Ellite Wallos prior to version 4.7.0. Administrators using any earlier build should be aware that the system can accept and forward requests to internal or private addresses configured as notification URLs.", "description_and_impact": "A flaw in Wallos allows an authenticated user to store an internal or private IP address as a webhook notification URL. The validate_webhook_url_for_ssrf() protection was added only to test endpoints and not to the save endpoints, so when the scheduled sendnotifications.php task runs it resolves the webhook URL without SSRF validation. This omission lets the application make HTTP requests to any internal IP, potentially exposing internal services, retrieving sensitive data, or facilitating lateral movement within the network. The weakness is categorized as an SSRF vulnerability (CWE-918).", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high risk, and the EPSS score of less than 1% suggests low current exploitation prevalence. The issue is not listed in CISA\u2019s KEV catalog. The attack vector requires authentication to the application and the ability to save a webhook URL; once the cron job runs the malicious request is executed automatically. While the impact is limited to internal network resources, the potential for further exploitation depends on the services exposed on those internal IP addresses."}}}}, "created": "2026-03-25T11:46:53.020495+00:00", "updated": "2026-03-27T09:20:51.708370+00:00", "vendors": ["ellite", "ellite$PRODUCT$wallos"]}