CVE-2026-33401: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in c
highvulnerability
security
Summary
Wallos, an open-source tool for tracking subscriptions that users can run on their own servers, had incomplete security protections in versions before 4.7.0. A logged-in attacker could bypass these protections by sending specially crafted web addresses to three different features (AI Ollama settings, AI recommendations, and notification scheduling), allowing them to reach internal systems or cloud configuration services they shouldn't access.
Solution / Mitigation
Update to version 4.7.0, which patches this vulnerability.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
March 24, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33401
First tracked: March 24, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 85%