GHSA-56FM-HFP3-X3W3 Wallabag user can disable 2FA unintentionally
Impact wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily disable 2FA through /config/otp/app/disable and /config/otp/email/disable. This vulnerability has a CVSSv3.1 score of 4.3. You should upgrade your instance to version 2.6.7 or higher...