CVE ID :CVE-2026-41688 Published : May 7, 2026, 1:52 p.m. | 1 hour, 13 minutes ago Description :Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...