CVE-2026-30828
Received Received - Intake
Local File Disclosure in Wallos Subscription Tracker Before

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30828
EUVD
EUVD-2026-10116
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wallosapp wallos to 4.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-29 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker to read arbitrary local files on the server running the Wallos application without authorization. This can lead to exposure of sensitive information such as configuration files, user data, or system credentials.

Because the attacker can exploit the SSRF and path traversal to access files like `/etc/passwd`, it poses a significant security risk by potentially revealing critical system information that could be used for further attacks or unauthorized access.

Compliance Impact

I don't know

Executive Summary

CVE-2026-30828 is a high-severity vulnerability in the Wallos application that involves Server-Side Request Forgery (SSRF) combined with a path traversal issue. Specifically, the vulnerability exists in the POST endpoint `/endpoints/notifications/testwebhooknotifications.php` where the `url` parameter can be manipulated by an attacker.

An attacker can supply a malicious URL such as `file:///etc/passwd` in the JSON payload, causing the server to read sensitive local system files. This happens because the application uses external input to construct file paths without properly sanitizing or neutralizing directory traversal sequences like `..`, allowing attackers to escape the intended directory and access arbitrary files on the server.

The vulnerability corresponds to CWE-29 (Path Traversal) and CWE-918 (Server-Side Request Forgery), as the server does not validate that the requested URL is safe or within an expected domain.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/endpoints/notifications/testwebhooknotifications.php` that include a `url` parameter with potentially malicious values such as file URLs (e.g., `file:///etc/passwd`).'}, {'type': 'paragraph', 'content': 'A practical detection method is to inspect web server logs or use network monitoring tools to identify requests containing the `url` parameter with local file paths or unusual URL schemes.'}, {'type': 'list_item', 'content': "Use command-line tools like `grep` to search server logs for suspicious payloads, for example: `grep -i 'url.*file://' /var/log/nginx/access.log`"}, {'type': 'list_item', 'content': 'Use tools like `curl` or `httpie` to test the endpoint with crafted POST requests containing the `url` parameter to see if local files can be accessed.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: `curl -X POST -H "Content-Type: application/json" -d \'{"url":"file:///etc/passwd"}\' https://your-wallos-instance/endpoints/notifications/testwebhooknotifications.php`'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Wallos to version 4.6.2 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, restrict access to the vulnerable endpoint by implementing network-level controls such as firewall rules or IP whitelisting to limit who can send requests.

Additionally, monitor and block suspicious requests containing the `url` parameter with local file paths or unusual URL schemes to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart