Ellite

**Name of the Vulnerable Software and Affected Versions** Wallos versions prior to 4.6.2 **Description** Wallos is a self-hostable personal subscription tracker. Versions prior to 4.6.2 contain a Server-Side Request Forgery (SSRF) condition in the `testwebhooknotifications.php` file. The application does not properly validate the target URL against private or reserved IP ranges, allowing an attacker to potentially read sensitive information from internal resources. The server's response to the crafted request is then returned to the attacker. The vulnerable component is the `testwebhooknotifications.php` file. **Recommendations** Update to version 4.6.2 or later.