CVE-2026-27479

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27479
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27479.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27479
Aliases
  • GHSA-fgmf-7g5v-jmjg
Published
2026-02-21T08:15:19.953Z
Modified
2026-03-02T02:52:12.224827Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch
Details

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPTFOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTERFLAGNOPRIVRANGE | FILTERFLAGNORESRANGE. However, the subsequent cURL request is configured with CURLOPTFOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27479.json"
}
References

Affected packages

Git / github.com/ellite/wallos

Affected ranges

Type
GIT
Repo
https://github.com/ellite/wallos
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
44774d36737ce7c1086a5dcbd3e1032e4778f4ab
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
76a53df9cb4658123b8f0b7cf1826f1ba7d1c960

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.11.0
v1.11.1
v1.11.2
v1.11.3
v1.12.0
v1.12.1
v1.13.0
v1.14.0
v1.14.1
v1.15.0
v1.15.1
v1.15.2
v1.15.3
v1.16.0
v1.16.1
v1.16.2
v1.16.3
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.18.0
v1.18.1
v1.18.2
v1.18.3
v1.19.0
v1.2.0
v1.20.0
v1.20.1
v1.20.2
v1.21.0
v1.21.1
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.25.1
v1.26.0
v1.26.1
v1.26.2
v1.27.0
v1.27.1
v1.27.2
v1.28.0
v1.29.0
v1.29.1
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.1.0
v2.10.0
v2.11.0
v2.11.1
v2.11.2
v2.12.0
v2.13.0
v2.14.0
v2.14.1
v2.14.2
v2.15.0
v2.16.0
v2.16.1
v2.17.0
v2.18.0
v2.19.0
v2.19.1
v2.19.2
v2.19.3
v2.2.0
v2.20.0
v2.20.1
v2.21.0
v2.21.1
v2.21.2
v2.21.3
v2.22.0
v2.22.1
v2.23.0
v2.23.1
v2.23.2
v2.24.0
v2.24.1
v2.25.0
v2.26.0
v2.27.0
v2.27.1
v2.27.2
v2.27.3
v2.28.0
v2.29.0
v2.29.1
v2.29.2
v2.3.0
v2.30.0
v2.30.1
v2.31.0
v2.31.1
v2.32.0
v2.33.0
v2.33.1
v2.34.0
v2.35.0
v2.36.0
v2.36.1
v2.36.2
v2.37.0
v2.37.1
v2.38.0
v2.38.1
v2.38.2
v2.38.3
v2.39.0
v2.39.1
v2.4.0
v2.4.1
v2.4.2
v2.40.0
v2.41.0
v2.42.0
v2.42.1
v2.42.2
v2.43.0
v2.43.1
v2.44.0
v2.44.1
v2.45.0
v2.45.1
v2.45.2
v2.46.0
v2.46.1
v2.47.0
v2.47.1
v2.48.0
v2.48.1
v2.49.0
v2.49.1
v2.5.0
v2.5.1
v2.5.2
v2.50.0
v2.50.1
v2.51.0
v2.51.1
v2.52.0
v2.52.1
v2.52.2
v2.6.0
v2.6.1
v2.7.0
v2.8.0
v2.9.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.1.0
v3.1.1
v3.2.0
v3.3.0
v3.3.1
v4.*
v4.0.0
v4.1.0
v4.1.1
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.5.0
v4.6.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27479.json"