CVE-2026-33407
Published: 24 March 2026
Summary
CVE-2026-33407 is a critical-severity SSRF (CWE-918) vulnerability in Wallosapp Wallos. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates user-supplied search terms to prevent arbitrary DNS resolution and SSRF exploitation in the logos/search.php endpoint.
Monitors and controls outbound communications at system boundaries to block SSRF requests to arbitrary internal or external domains.
Enforces flow control policies to prohibit unauthorized server-side outbound connections triggered by unvalidated proxy environment variables or inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Wallos app (T1190) directly allows unauthenticated remote exploitation; forces arbitrary DNS resolution and outbound connections enabling remote system discovery (T1018) and network service discovery/scanning (T1046).
NVD Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled…
more
by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.
Deeper analysisAI
CVE-2026-33407 is a server-side request forgery (SSRF) vulnerability, associated with CWE-918 and CWE-922, affecting Wallos, an open-source, self-hostable personal subscription tracker, in versions prior to 4.7.0. The issue stems from the endpoints/logos/search.php component, which accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. Additionally, the server performs DNS resolution on user-supplied search terms in this endpoint, allowing outbound requests to arbitrary domains.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Exploitation yields high impacts on confidentiality (C:H) and availability (A:H), with no integrity impact (I:N), as rated by its CVSS v3.1 score of 9.1. Remote unauthenticated attackers can control search terms or proxy settings to force the server to resolve and connect to arbitrary domains, potentially enabling internal network scanning, data exfiltration, or denial-of-service conditions.
The vulnerability has been patched in Wallos version 4.7.0. Mitigation involves upgrading to this version or later. Further details on the fix are provided in the GitHub security advisory at GHSA-hhjq-82f8-m6rc and the patching commit at e87387f0ebb540cd33e6dfda7181db9db650ecef.
Details
- CWE(s)