Cyber Resilience

CVE-2026-27479

HighPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0031 22.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27479 is a high-severity SSRF (CWE-918) vulnerability in Wallosapp Wallos. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Wallos, an open-source self-hostable personal subscription tracker, in versions 4.6.0 and below, contains CVE-2026-27479, a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918. The flaw resides in the subscription and payment logo/icon upload functionality, specifically the getLogoFromUrl() function. This function validates the provided URL by resolving its hostname and checking the resulting IP address against private or reserved ranges using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION set to true and CURLOPT_MAXREDIRS to 3, permitting HTTP redirects to destinations without re-validating their IP addresses.

The vulnerability can be exploited by an authenticated attacker with low privileges (PR:L) over the network (AV:N), requiring low attack complexity (AC:L) and no user interaction (UI:N). By supplying a malicious URL that initially resolves to a public IP but redirects to internal resources, the attacker bypasses validation, enabling access to internal services such as cloud instance metadata endpoints. This results in high confidentiality impact (C:H) with a changed scope (S:C) and no integrity or availability effects (I:N/A:N), yielding a CVSS v3.1 base score of 7.7.

Mitigation is addressed in Wallos version 4.6.1, which fixes the SSRF bypass. Security practitioners are advised to upgrade immediately. Details are provided in the GitHub security advisory (GHSA-fgmf-7g5v-jmjg), the v4.6.1 release notes, and the patching commit (76a53df9cb4658123b8f0b7cf1826f1ba7d1c960).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the…

more

request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF bypass via unvalidated redirects directly enables querying internal cloud instance metadata endpoints (T1522) to obtain credentials/tokens (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33399Same product: Wallosapp Wallos
CVE-2026-33407Same product: Wallosapp Wallos
CVE-2026-30828Same product: Wallosapp Wallos
CVE-2026-33417Same product: Wallosapp Wallos
CVE-2026-41297Shared CWE-918
CVE-2026-34936Shared CWE-918
CVE-2026-33679Shared CWE-918
CVE-2026-27732Shared CWE-918
CVE-2026-27706Shared CWE-918
CVE-2026-32133Shared CWE-918

Affected Assets

wallosapp
wallos
≤ 4.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces rigorous validation of user-supplied URLs, including post-redirect destinations, to block SSRF bypasses in the logo upload function.

prevent

Directly remediates the SSRF vulnerability by identifying, patching, and verifying the fix as implemented in Wallos version 4.6.1.

preventdetect

Monitors and controls application outbound network communications at boundaries to restrict access to internal resources like cloud metadata endpoints.

References