CVE-2026-30839

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.6.2

Description Wallos is a self-hostable personal subscription tracker. Versions prior to 4.6.2 contain a Server-Side Request Forgery (SSRF) condition in the testwebhooknotifications.php file. The application does not properly validate the target URL against private or reserved IP ranges, allowing an attacker to potentially read sensitive information from internal resources. The server's response to the crafted request is then returned to the attacker. The vulnerable component is the testwebhooknotifications.php file.

Recommendations Update to version 4.6.2 or later.