CVE-2026-41687

Published: May 7, 2026

Modified: May 7, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598). The includes/ssrf_helper.php file explicitly defines is_cgnat_ip() to cover this gap (used by notification endpoints), but the logo/icon URL fetching in subscription and payment endpoints performs its own inline validation that misses this range. This allows authenticated users to perform Blind SSRF to internal services in Tailscale, Carrier-Grade NAT, and other environments using 100.64.0.0/10 addresses. This issue has been patched in version 4.8.1.

Vendor	Product	Versions
ellite	Wallos	affected `< 4.8.1`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2

x_refsource_CONFIRM

https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85

x_refsource_MISC

https://github.com/ellite/Wallos/releases/tag/v4.8.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41687

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References