CVE-2026-41687

MEDIUM EPSS 10.5%
Published May 7, 20261mo ago · Modified Jun 17, 20262w ago
4.3 CVSS 3.1
Medium
Find Similar
Published May 7, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598). The includes/ssrf_helper.php file explicitly defines is_cgnat_ip() to cover this gap (used by notification endpoints), but the logo/icon URL fetching in subscription and payment endpoints performs its own inline validation that misses this range. This allows authenticated users to perform Blind SSRF to internal services in Tailscale, Carrier-Grade NAT, and other environments using 100.64.0.0/10 addresses. This issue has been patched in version 4.8.1.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
10.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

References 3

  • github.com https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85
  • github.com https://github.com/ellite/Wallos/releases/tag/v4.8.1
  • github.com https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.