CVE-2026-33407 HIGH

CVE-2026-33407: Wallos: SSRF via HTTP Proxy Environment Variable

Vendor Ellite
Product Wallos
Weakness CWE-918 · SSRF
Published March 24, 2026
Last update March 26, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
March 26, 2026 Record updated