SecuriTricks - CVE-2026-41689

Description

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.

Product(s) Impacted

Vendor	Product	Versions
Wallos	Wallos	<4.8.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	wallos	wallos	<4.8.4	/	/	/	/	/	/	/

References

https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv

CVSS Score

6.0 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

View Vector String

Timeline

Published: May 7, 2026, 3:16 p.m.
Last Modified: May 7, 2026, 4:16 p.m.

Status : Deferred

When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.

More info

Source

[email protected]

CVE-2026-41689