Plattform
php
Komponente
wallos
Behoben in
4.6.2
CVE-2026-27479 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Wallos, an open-source subscription tracker. This flaw allows attackers to bypass IP address validation and potentially access sensitive internal resources, including cloud instance metadata. The vulnerability impacts versions 4.6.0 and earlier, and a patch is available in version 4.6.1.
The SSRF vulnerability in Wallos arises from the application's handling of subscription and payment logo/icon uploads. While the application attempts to validate the IP address of the provided URL, it utilizes HTTP redirects (CURLOPT_FOLLOWLOCATION = true). This seemingly minor detail allows attackers to circumvent the IP validation mechanism. By crafting malicious URLs with HTTP redirects, an attacker can trick the application into making requests to unintended internal resources. A particularly concerning scenario involves accessing cloud instance metadata endpoints, potentially exposing sensitive information such as API keys, instance IDs, and other credentials. This could lead to unauthorized access and control over cloud infrastructure.
CVE-2026-27479 was publicly disclosed on 2026-02-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Wallos for subscription tracking, particularly those hosting the application on cloud platforms like AWS, Azure, or Google Cloud, are at risk. Shared hosting environments where Wallos is installed alongside other applications could also be vulnerable, as a compromise of one application could potentially lead to exploitation of this SSRF vulnerability.
• php: Examine Wallos application logs for unusual outbound HTTP requests, particularly those involving redirects to internal IP addresses or cloud metadata endpoints.
grep 'redirect' /var/log/apache2/access.log | grep '169.254' • generic web: Monitor access logs for requests to the logo upload endpoint with suspicious URL parameters.
curl -I 'http://your-wallos-instance/upload_logo.php?url=http://evil.com/redirect' • generic web: Check response headers for signs of internal resource exposure.
curl -I 'http://your-wallos-instance/upload_logo.php?url=http://169.254.169.254/latest/meta-data/'disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27479 is to upgrade Wallos to version 4.6.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block suspicious HTTP redirects, preventing attackers from bypassing the IP validation. Additionally, carefully review and restrict the allowed domains and protocols for logo/icon uploads. Monitor Wallos logs for unusual outbound requests, particularly those targeting internal IP addresses or cloud metadata endpoints. After upgrading, confirm the fix by attempting to upload a logo from a known malicious URL and verifying that the request is blocked.
Aktualisieren Sie Wallos auf Version 4.6.1 oder höher. Diese Version behebt die SSRF-Schwachstelle, indem HTTP-Weiterleitungen beim Abrufen von Logos und Icons von Abonnements und Zahlungen korrekt validiert werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27479 is a Server-Side Request Forgery vulnerability in Wallos versions 4.6.0 and below, allowing attackers to bypass IP validation and access internal resources.
You are affected if you are running Wallos version 4.6.0 or earlier. Upgrade to version 4.6.1 to mitigate the vulnerability.
Upgrade Wallos to version 4.6.1. As a temporary workaround, implement WAF rules to block suspicious URLs and restrict outbound connections.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Wallos project's official website and security advisories for the latest information: [https://wallos.dev/security](https://wallos.dev/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.