SSRF Vulnerability in Wallos Personal Subscription Tracker by Ellite
CVE-2026-41688

7.7HIGH

Key Information:

Vendor: Ellite
Status: Wallos
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41688?

Wallos, the open-source personal subscription tracker by Ellite, contains a Server-Side Request Forgery (SSRF) vulnerability in versions 4.8.4 and earlier. This flaw arises from an incomplete fix in which webhook URLs are validated using the gethostbyname() function. This validation approach allows the original hostname to be passed to cURL without the essential CURLOPT_RESOLVE pinning across 10 of the 11 outbound HTTP endpoints. Consequently, this creates a DNS rebinding Time-of-Check to Time-of-Use (TOCTOU) window, which could be exploited by attackers. As of the current date, no patches are available to mitigate this vulnerability.

Affected Version(s)

Wallos <= 4.8.4

References

https://github.com/ellite/Wallos/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/ellite/Wallos/commit/e87387f0ebb540cd3...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41688 Data

JSON