Platform
php
Component
wallos
Fixed in
4.6.2
CVE-2026-27479 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Wallos, an open-source subscription tracker. This flaw allows attackers to bypass IP address validation and potentially access sensitive internal resources, including cloud instance metadata. The vulnerability impacts versions 4.6.0 and earlier, and a patch is available in version 4.6.1.
The SSRF vulnerability in Wallos arises from the application's handling of subscription and payment logo/icon uploads. While the application attempts to validate the IP address of the provided URL, it utilizes HTTP redirects (CURLOPT_FOLLOWLOCATION = true). This allows an attacker to craft a malicious URL that redirects to an internal resource, effectively bypassing the IP validation check. Successful exploitation could enable attackers to retrieve sensitive information from cloud instance metadata endpoints, potentially exposing API keys, credentials, or other confidential data. The blast radius extends to any internal services accessible via HTTP, and the vulnerability could be leveraged for reconnaissance and further attacks.
CVE-2026-27479 was publicly disclosed on 2026-02-21. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability shares similarities with other SSRF exploits that leverage HTTP redirects to bypass security controls.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27479 is to upgrade Wallos to version 4.6.1 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious URLs or redirect patterns. Restricting outbound connections from the Wallos application to only trusted internal resources can also limit the potential impact. Regularly review and audit the application's configuration to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to upload a logo from a known internal resource and verifying that the request is properly blocked.
Update Wallos to version 4.6.1 or higher. This version fixes the SSRF vulnerability by correctly validating HTTP redirects when fetching subscription and payment logos and icons.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27479 is a Server-Side Request Forgery vulnerability in Wallos versions 4.6.0 and below, allowing attackers to bypass IP validation and access internal resources.
You are affected if you are running Wallos version 4.6.0 or earlier. Upgrade to version 4.6.1 to mitigate the vulnerability.
Upgrade Wallos to version 4.6.1. As a temporary workaround, implement WAF rules to block suspicious URLs and restrict outbound connections.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Wallos project's official website and security advisories for the latest information: [https://wallos.dev/security](https://wallos.dev/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.