CVE-2026-41688
🟡 Monitoruj
Niedostateczna naprawa SSRF w Wallos umożliwia atak DNS rebinding na zewnętrzne punkty końcowe.
CVSS
7.7
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.
ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-05-07 15:16:09 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-07 15:45:05 UTC |
Referencje
- https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef (security-advisories@github.com)
- https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g (security-advisories@github.com)