CVE-2026-30840

HIGH 8.8

Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.

CWE	CWE-918 CWE-295
Vendor	ellite
Product	wallos
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for ellite wallos

Be the first to know when new high vulnerabilities affecting ellite wallos are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Versions

ellite / Wallos

< 4.6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ellite/Wallos/security/advisories/GHSA-mr2c-prqv-hqm8 github.com: https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d github.com: https://github.com/ellite/Wallos/releases/tag/v4.6.2