CVE-2026-33407

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40	Patch
https://github.com/ellite/Wallos/security/advisories/GHSA-hhjq-82f8-m6rc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*

History

26 Mar 2026, 20:54

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
Summary		(es) Wallos es un rastreador de suscripciones personal de código abierto y autoalojable. Antes de la versión 4.7.0, el endpoint de Wallos /logos/search.PHP acepta las variables de entorno HTTP_PROXY y HTTPS_PROXY sin validación, lo que permite SSRF a través del secuestro de proxy. El servidor realiza la resolución DNS en los términos de búsqueda proporcionados por el usuario, que pueden ser controlados por atacantes para activar solicitudes salientes a dominios arbitrarios. Este problema ha sido parcheado en la versión 4.7.0.
First Time		Wallosapp wallos Wallosapp
CPE		cpe:2.3:a:wallosapp:wallos::::::::
References	~~() https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40 -~~	() https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40 - Patch
References	~~() https://github.com/ellite/Wallos/security/advisories/GHSA-hhjq-82f8-m6rc -~~	() https://github.com/ellite/Wallos/security/advisories/GHSA-hhjq-82f8-m6rc - Exploit, Vendor Advisory

24 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 18:16

Updated : 2026-03-26 20:54

NVD link : CVE-2026-33407

Mitre link : CVE-2026-33407

CVE.ORG link : CVE-2026-33407

JSON object : View

Products Affected

wallosapp

wallos

CWE

CWE-918

Server-Side Request Forgery (SSRF)

CWE-922

Insecure Storage of Sensitive Information

9.1 /10