Cyber Resilience

CVE-2026-30828

HighPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30828 is a high-severity Path Traversal (CWE-22) vulnerability in Wallosapp Wallos. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30828 is a vulnerability in Wallos, an open-source, self-hostable personal subscription tracker. In versions prior to 4.6.2, the "url" parameter can be manipulated to retrieve arbitrary local system files. This flaw is associated with CWE-22 (Path Traversal), CWE-29 (Trusted Path), and CWE-918 (Server-Side Request Forgery), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers can exploit this vulnerability over the network with low complexity, no required privileges, and no user interaction. Unauthenticated adversaries simply need to send a crafted request with a malicious "url" parameter value, enabling them to disclose sensitive local files on the Wallos server, such as configuration files or other system data.

The vulnerability has been patched in Wallos version 4.6.2. The GitHub security advisory (GHSA-p7qj-669r-grvc), release notes for v4.6.2, and the patching commit (e8a513591dbbf885966e2ef55c38622785b9060d) detail the fix; administrators should upgrade immediately to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal/SSRF in public-facing Wallos web app directly enables remote file read (T1190 initial access + T1005 data collection from local system).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33399Same product: Wallosapp Wallos
CVE-2026-33407Same product: Wallosapp Wallos
CVE-2026-27479Same product: Wallosapp Wallos
CVE-2026-33417Same product: Wallosapp Wallos
CVE-2026-27018Shared CWE-22, CWE-918
CVE-2025-26753Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-69411Shared CWE-22
CVE-2025-25997Shared CWE-22
CVE-2025-27837Shared CWE-22

Affected Assets

wallosapp
wallos
≤ 4.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation by requiring validation of the 'url' parameter to block access to arbitrary local system files.

prevent

Mitigates the vulnerability through flaw remediation by applying the patch in Wallos version 4.6.2.

prevent

Enforces approved authorizations for access to system resources like local files, reducing impact of input manipulation attempts.

References