Server-Side Request Forgery in Wallos Personal Subscription Tracker
CVE-2026-33401

7.1HIGH

Key Information:

Vendor

Ellite

Status
Wallos
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33401?

The Wallos Personal Subscription Tracker, an open-source software, is affected by a Server-Side Request Forgery vulnerability prior to version 4.7.0. Despite previous patches aimed at notification test endpoints, the software left three vectors exposed: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can exploit this vulnerability to craft malicious URLs that may allow access to internal network services, including potentially sensitive cloud metadata from platforms like AWS, GCP, and Azure, as well as localhost-bound services. This issue has been addressed and mitigated in version 4.7.0.

Affected Version(s)

Wallos < 4.7.0

References

https://github.com/ellite/Wallos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ellite/Wallos/commit/e87387f0ebb540cd3...
x_refsource_MISC
https://github.com/ellite/Wallos/commit/e8a513591
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.