CVE-2026-30839 is a medium-severity SSRF vulnerability affecting ellite's Wallos software versions prior to 4.6.2. Wallos is an open-source, self-hostable personal subscription tracker. The vulnerability exists in the testwebhooknotifications.php script, which fails to validate the target URL against private or reserved IP address ranges. This lack of validation allows an attacker to craft requests that cause the server to initiate HTTP requests to internal or otherwise restricted network resources. Because the server returns the response content to the attacker, this can lead to unauthorized information disclosure from internal systems, potentially exposing sensitive data or internal services. The vulnerability does not require user interaction but does require low privileges on the system (PR:L). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (AT:N), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability. The vulnerability has been patched in Wallos version 4.6.2, which implements proper validation to block requests targeting private or reserved IP ranges. No public exploits or active exploitation have been reported to date. This vulnerability is typical of SSRF issues where insufficient input validation allows attackers to pivot from an externally accessible service into internal network resources.

The primary impact of this SSRF vulnerability is unauthorized internal network reconnaissance and information disclosure. Attackers can leverage the vulnerability to access internal services that are otherwise inaccessible from the internet, potentially exposing sensitive data such as internal APIs, metadata services, or configuration endpoints. This can facilitate further attacks, including privilege escalation or lateral movement within the network. Since the server returns the response to the attacker, sensitive internal information could be leaked. While the vulnerability does not directly allow code execution or denial of service, the information gained can significantly aid attackers in compromising the affected environment. Organizations using Wallos in sensitive or critical environments risk exposure of internal network topology and data. The medium CVSS score reflects moderate risk, but the actual impact depends on the internal network's sensitivity and the privileges of the compromised Wallos instance. Because Wallos is self-hosted, the risk is higher in environments where it is exposed to untrusted users or the internet without proper network segmentation.

To mitigate this vulnerability, organizations should immediately upgrade Wallos to version 4.6.2 or later, where the SSRF flaw has been patched by validating and blocking requests to private and reserved IP ranges. Additionally, administrators should implement network-level protections such as firewall rules to restrict outbound HTTP requests from the Wallos server to only trusted destinations. Employing web application firewalls (WAFs) with SSRF detection capabilities can help detect and block suspicious requests targeting internal IP ranges. It is also advisable to audit and monitor logs for unusual outbound requests originating from Wallos, which may indicate exploitation attempts. Network segmentation should be enforced to isolate the Wallos server from sensitive internal resources. Finally, applying the principle of least privilege to the Wallos service account limits the potential damage if exploited. Regular vulnerability scanning and patch management processes should be maintained to promptly address similar issues in the future.