Description
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.
Problem types
CWE-863: Incorrect Authorization
CWE-918: Server-Side Request Forgery (SSRF)
Product status
References
github.com/...Wallos/security/advisories/GHSA-jx6w-832g-42wv
github.com/...Wallos/security/advisories/GHSA-jx6w-832g-42wv