Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Wallos: Unsecured external URL redirection possible
CVE-2026-30839
Summary
A security issue in Wallos prior to version 4.6.2 allows an attacker to redirect your system to an unintended external website. This can happen if you receive a malicious webhook notification. Update to version 4.6.2 to prevent this risk.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wallosapp | wallos | <= 4.6.2 | – |
Original title
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enab...
Original description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.
nvd CVSS4.0
5.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026