CVE-2026-41689

Published: May 7, 2026Modified: May 7, 2026Deferred

6.0

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Exploitability: 1.8 / Impact: 3.7

Source: security-advisories@github.com (Secondary)

Description

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv

Source: security-advisories@github.com

https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.