CVE-2026-33401

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.7.0

Description Wallos is a self-hostable, open-source personal subscription tracker. An authenticated user can potentially access internal network services, cloud metadata endpoints like AWS IMDSv1, GCP, and Azure IMDS, or services bound to localhost. This is possible by providing a manipulated URL to the AI Ollama host parameter, the AI recommendations endpoint, or the notification cron job. The patch introduced in commit e8a513591 added Server-Side Request Forgery (SSRF) protection to notification test endpoints but did not cover these additional attack surfaces.

Recommendations Update to version 4.7.0 or later.