Lucene search
+L

151 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.5 views

CVE-2026-33400

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting XSS vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings,...

5.4CVSS5.7AI score0.00193EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.4 views

CVE-2026-33407

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTPPROXY and HTTPSPROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search...

9.1CVSS5.8AI score0.00369EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.9 views

CVE-2026-33399

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...

8.8CVSS7.2AI score0.00497EPSS
Exploits3References1
NVD
NVD
added 2026/03/24 7:16 p.m.5 views

CVE-2026-33417

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

7.1CVSS0.00264EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:1 p.m.10 views

CVE-2026-33417

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

6.5CVSS5.7AI score0.00264EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/24 6:1 p.m.12 views

CVE-2026-33417

Wallos is an open-source self-hosted personal subscription tracker. Multiple sources confirm a vulnerability in versions prior to 4.7.2 where password reset tokens never expire because the token validation logic does not check the token’s created_at timestamp in the password_resets table. The con...

7.1CVSS5.7AI score0.00264EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/24 6:1 p.m.4 views

CVE-2026-33417 Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

6.5CVSS5.7AI score0.00264EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/24 6:1 p.m.22 views

CVE-2026-33417 Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

6.5CVSS0.00264EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/24 6:1 p.m.8 views

EUVD-2026-14967

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

6.5CVSS5.7AI score0.00264EPSS
Exploits1References2
OSV
OSV
added 2026/03/24 6:1 p.m.8 views

CVE-2026-33417 Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

6.5CVSS5.8AI score0.00264EPSS
Exploits1References4
CVE
CVE
added 2026/03/24 5:58 p.m.19 views

CVE-2026-33401

CVE-2026-33401 concerns Wallos, an open-source personal subscription tracker. Before 4.7.0, an incomplete SSRF fix allowed an authenticated user to reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by crafting URLs exposed to the ...

7.1CVSS7.2AI score0.00497EPSS
Exploits2References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/24 5:58 p.m.4 views

CVE-2026-33401 Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass ssrf_helper.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

7.1CVSS7.2AI score0.00497EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/03/24 5:58 p.m.23 views

CVE-2026-33401 Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass ssrf_helper.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

7.1CVSS0.00283EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/03/24 5:58 p.m.5 views

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

8.8CVSS7.2AI score0.00497EPSS
Exploits2References4Affected Software1
OSV
OSV
added 2026/03/24 5:58 p.m.3 views

CVE-2026-33401 Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass ssrf_helper.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

7.1CVSS5.8AI score0.00283EPSS
Exploits2References5
Cvelist
Cvelist
added 2026/03/24 5:45 p.m.21 views

CVE-2026-33400 Wallos: Stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting XSS vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings,...

5.4CVSS0.00193EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/24 5:45 p.m.5 views

EUVD-2026-14946

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting XSS vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings,...

5.4CVSS5.7AI score0.00193EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/24 5:45 p.m.3 views

CVE-2026-33400

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting XSS vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings,...

5.4CVSS5.7AI score0.00193EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/24 5:43 p.m.23 views

CVE-2026-33399 Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...

7.7CVSS0.00282EPSS
Exploits3References2
Vulnrichment
Vulnrichment
added 2026/03/24 5:43 p.m.5 views

CVE-2026-33399 Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...

7.7CVSS7.2AI score0.00497EPSS
Exploits3References2
Rows per page
Query Builder