CVE-2026-33407
Wallos: SSRF via HTTP Proxy Environment Variable
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.
| CWE | CWE-918 CWE-922 |
| Vendor | ellite |
| Product | wallos |
| Published | Mar 24, 2026 |
| Last Updated | Mar 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for ellite wallos
Be the first to know when new unknown vulnerabilities affecting ellite wallos are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
ellite / Wallos
< 4.7.0