Home / Vulnerability Intelligence / CVE-2026-30840

CVE-2026-30840 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 9, 2026

Wallos - Server Side Request Forgery

Published: March 7, 2026Updated: March 9, 2026Remote Exploitable

Overview

Wallos < 4.6.2 contains a server-side request forgery caused by improper validation in notification testers, letting attackers make arbitrary server requests, exploit requires network access.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 5.0%(Probability of exploitation in next 30 days)

Impact

Attackers can make arbitrary server requests, potentially accessing internal resources or sensitive data.

Mitigation

Update to version 4.6.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-33399 - High (7.7) Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to t... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33399/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30840
Severity: High
CVSS Score: 8.8
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 5.0%
Social Posts: 1

CWE

CWE-295

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.0%Probability of exploitation in the next 30 days