CVE-2026-33407

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.7.0

Description The software is a self-hostable personal subscription tracker. A server-side request forgery (SSRF) condition exists due to a lack of validation for the HTTP PROXY and HTTPS PROXY environment variables in the /logos/search.php endpoint. The server resolves DNS using user-supplied search terms, allowing attackers to initiate outbound requests to arbitrary domains through proxy hijacking.

Recommendations Update to version 4.7.0 or later.

Exploit

Fix

Insecure Storage of Sensitive Information

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-922CWE-918

Related Identifiers

CVE-2026-33407

GHSA-HHJQ-82F8-M6RC

Affected Products

Wallos

CVE-2026-33407

Weakness Enumeration

Related Identifiers

Affected Products

References · 5