CVE-2026-30839

UNKNOWN 0.0

Wallos: SSRF via webhook test endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.

CWE	CWE-918
Vendor	ellite
Product	wallos
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for ellite wallos

Be the first to know when new unknown vulnerabilities affecting ellite wallos are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ellite / Wallos

< 4.6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ellite/Wallos/security/advisories/GHSA-x4qp-xm2c-vqg9 github.com: https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d github.com: https://github.com/ellite/Wallos/releases/tag/v4.6.2