Server-Side Request Forgery Vulnerability in Wallos Personal Subscription Tracker
CVE-2026-27479

7.7HIGH

Key Information:

Vendor

Ellite

Status
Wallos
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27479?

The Wallos Personal Subscription Tracker is susceptible to a Server-Side Request Forgery (SSRF) vulnerability due to its improper handling of URL validation in the logo/icon upload functionality. While the application initially checks the provided IP address of a URL, it is configured to allow HTTP redirects which can be exploited. An attacker could manipulate the redirect to bypass the IP address validation, potentially gaining unauthorized access to internal resources, including sensitive metadata endpoints of cloud instances. This vulnerability exists in versions 4.6.0 and below and has been addressed in version 4.6.1.

Affected Version(s)

Wallos < 4.6.1

References

https://github.com/ellite/Wallos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ellite/Wallos/commit/76a53df9cb4658123...
x_refsource_MISC
https://github.com/ellite/Wallos/releases/tag/v4.6.1
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.