CVE-2026-27479

Name of the Vulnerable Software and Affected Versions Wallos versions 4.6.0 and below

Description Wallos is a self-hostable personal subscription tracker susceptible to a Server-Side Request Forgery (SSRF) issue in the subscription and payment logo/icon upload functionality. The application validates the IP address of a provided URL, but allows HTTP redirects, enabling an attacker to bypass IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function uses FILTER FLAG NO PRIV RANGE | FILTER FLAG NO RES RANGE to validate the URL, but the cURL request is configured with CURLOPT FOLLOWLOCATION = true and CURLOPT MAXREDIRS = 3, allowing redirects without re-validation of the destination IP.

Recommendations Update to version 4.6.1 or later.