Volerion logoVolerion
Volerion logoVolerion

Wallos Server-Side Request Forgery Vulnerability in Webhook Test Endpoint

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Wallos, a personal subscription tracker, in versions prior to 4.6.2. The issue resides in the 'testwebhooknotifications.php' file, which fails to validate target URLs against private or reserved IP ranges. This oversight allows authenticated users to send requests to internal services, potentially leaking sensitive information. The vulnerability has been patched in version 4.6.2.

Impact

Exploitation of this vulnerability allows authenticated users to read responses from internal services, including cloud instance metadata, which could contain sensitive credentials.

Reproduction

To reproduce this vulnerability, log into the application and obtain a CSRF token. Then, send a POST request to the 'testwebhooknotifications.php' endpoint, including the target URL as a parameter. The server response will reveal that the internal service was accessed, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users can update to Wallos version 4.6.2 or later, where this vulnerability has been fixed.

Added: Mar 7, 2026, 6:20 AM
Updated: Mar 7, 2026, 6:20 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
4.0
remediation
7.7
relevance
3.6
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.