CVE-2026-33401

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33401

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33401.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33401

Aliases

GHSA-r82v-p8cg-rgx3

Published

2026-03-24T17:58:47.336Z

Modified

2026-04-02T13:41:28.655248Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass ssrf_helper.php

Details

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33401.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/ellite/wallos

Affected ranges

Type

GIT

Repo

https://github.com/ellite/wallos

Events

Introduced

Fixed

6e52b68718cc0e0efb21bc504437f98f585a2c48

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.7.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.10.0

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.12.0

v1.12.1

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.15.1

v1.15.2

v1.15.3

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.17.0

v1.17.1

v1.17.2

v1.17.3

v1.18.0

v1.18.1

v1.18.2

v1.18.3

v1.19.0

v1.2.0

v1.20.0

v1.20.1

v1.20.2

v1.21.0

v1.21.1

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.25.1

v1.26.0

v1.26.1

v1.26.2

v1.27.0

v1.27.1

v1.27.2

v1.28.0

v1.29.0

v1.29.1

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.11.1

v2.11.2

v2.12.0

v2.13.0

v2.14.0

v2.14.1

v2.14.2

v2.15.0

v2.16.0

v2.16.1

v2.17.0

v2.18.0

v2.19.0

v2.19.1

v2.19.2

v2.19.3

v2.2.0

v2.20.0

v2.20.1

v2.21.0

v2.21.1

v2.21.2

v2.21.3

v2.22.0

v2.22.1

v2.23.0

v2.23.1

v2.23.2

v2.24.0

v2.24.1

v2.25.0

v2.26.0

v2.27.0

v2.27.1

v2.27.2

v2.27.3

v2.28.0

v2.29.0

v2.29.1

v2.29.2

v2.3.0

v2.30.0

v2.30.1

v2.31.0

v2.31.1

v2.32.0

v2.33.0

v2.33.1

v2.34.0

v2.35.0

v2.36.0

v2.36.1

v2.36.2

v2.37.0

v2.37.1

v2.38.0

v2.38.1

v2.38.2

v2.38.3

v2.39.0

v2.39.1

v2.4.0

v2.4.1

v2.4.2

v2.40.0

v2.41.0

v2.42.0

v2.42.1

v2.42.2

v2.43.0

v2.43.1

v2.44.0

v2.44.1

v2.45.0

v2.45.1

v2.45.2

v2.46.0

v2.46.1

v2.47.0

v2.47.1

v2.48.0

v2.48.1

v2.49.0

v2.49.1

v2.5.0

v2.5.1

v2.5.2

v2.50.0

v2.50.1

v2.51.0

v2.51.1

v2.52.0

v2.52.1

v2.52.2

v2.6.0

v2.6.1

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.2.0

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.1.0

v4.1.1

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.5.0

v4.6.0

v4.6.1

v4.6.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33401.json"