QwikSec

Security Database

CVE

CWE

Training

CVE-2026-33407

Published: Mar 24, 2026

Modified: Mar 26, 2026

PUBLISHED

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.

Vendor	Product	Versions
ellite	Wallos	affected `< 4.7.0`

Weaknesses (CWE)

References

https://github.com/ellite/Wallos/security/advisories/GHSA-hhjq-82f8-m6rc

x_refsource_CONFIRM

https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.