CVE-2026-41687

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.8.1

Description Authenticated users can perform Blind Server-Side Request Forgery (SSRF) to internal services in Tailscale, Carrier-Grade NAT (CGNAT), and other environments using 100.64.0.0/10 addresses. This occurs because the logo and icon URL fetching mechanisms use an inline IP validation check that fails to block CGNAT addresses, despite a helper function is cgnat ip() being available in the system. The issue affects the 'endpoints/subscription/add.php' and 'endpoints/payments/add.php' endpoints.

Recommendations Update to version 4.8.1.