SSRF Vulnerability in Wallos Personal Subscription Tracker by Elilte
CVE-2026-41687

4.3MEDIUM

Key Information:

Vendor

Ellite

Status
Wallos
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41687?

Wallos, an open-source personal subscription tracker developed by Elilte, prior to version 4.8.1, contains a security flaw that affects its Server-Side Request Forgery (SSRF) protection mechanisms. Specifically, the validation for IP addresses in certain endpoints is insufficient as it fails to block Carrier-Grade NAT (CGNAT) addresses defined under RFC 6598. While the system does include a mechanism to identify CGNAT addresses in its notification endpoints, the subscription and payment endpoints utilize inline validation which overlooks this crucial range. This oversight enables authenticated users to exploit the application by launching Blind SSRF attacks against internal services, posing a significant threat to security in environments utilizing CGNAT configurations. To mitigate this vulnerability, users are strongly encouraged to update to Wallos version 4.8.1, where the issue has been addressed.

Affected Version(s)

Wallos < 4.8.1

References

https://github.com/ellite/Wallos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ellite/Wallos/commit/e79f28be6be0435fb...
x_refsource_MISC
https://github.com/ellite/Wallos/releases/tag/v4.8.1
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.