CVE-2026-30828

HighPublic PoC

Published: 07 March 2026

Published

07 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0003 7.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30828 is a high-severity Path Traversal (CWE-22) vulnerability in Wallosapp Wallos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22 CWE-918

Validates pathnames and filenames to prevent traversal outside intended directories.

CA-8 Penetration Testing

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

SC-7 Boundary Protection

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

SI-4 System Monitoring

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Path traversal/SSRF in public-facing Wallos web app directly enables remote file read (T1190 initial access + T1005 data collection from local system).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.

Deeper analysisAI

CVE-2026-30828 is a vulnerability in Wallos, an open-source, self-hostable personal subscription tracker. In versions prior to 4.6.2, the "url" parameter can be manipulated to retrieve arbitrary local system files. This flaw is associated with CWE-22 (Path Traversal), CWE-29 (Trusted Path), and CWE-918 (Server-Side Request Forgery), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers can exploit this vulnerability over the network with low complexity, no required privileges, and no user interaction. Unauthenticated adversaries simply need to send a crafted request with a malicious "url" parameter value, enabling them to disclose sensitive local files on the Wallos server, such as configuration files or other system data.

The vulnerability has been patched in Wallos version 4.6.2. The GitHub security advisory (GHSA-p7qj-669r-grvc), release notes for v4.6.2, and the patching commit (e8a513591dbbf885966e2ef55c38622785b9060d) detail the fix; administrators should upgrade immediately to mitigate the risk.