CVE-2026-30828
Published: 07 March 2026
Summary
CVE-2026-30828 is a high-severity Path Traversal (CWE-22) vulnerability in Wallosapp Wallos. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-30828 is a vulnerability in Wallos, an open-source, self-hostable personal subscription tracker. In versions prior to 4.6.2, the "url" parameter can be manipulated to retrieve arbitrary local system files. This flaw is associated with CWE-22 (Path Traversal), CWE-29 (Trusted Path), and CWE-918 (Server-Side Request Forgery), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remote attackers can exploit this vulnerability over the network with low complexity, no required privileges, and no user interaction. Unauthenticated adversaries simply need to send a crafted request with a malicious "url" parameter value, enabling them to disclose sensitive local files on the Wallos server, such as configuration files or other system data.
The vulnerability has been patched in Wallos version 4.6.2. The GitHub security advisory (GHSA-p7qj-669r-grvc), release notes for v4.6.2, and the patching commit (e8a513591dbbf885966e2ef55c38622785b9060d) detail the fix; administrators should upgrade immediately to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10116
Vulnerability details
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal/SSRF in public-facing Wallos web app directly enables remote file read (T1190 initial access + T1005 data collection from local system).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal exploitation by requiring validation of the 'url' parameter to block access to arbitrary local system files.
Mitigates the vulnerability through flaw remediation by applying the patch in Wallos version 4.6.2.
Enforces approved authorizations for access to system resources like local files, reducing impact of input manipulation attempts.