151 matches found
CVE-2026-30842
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...
CVE-2026-30828
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2...
CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...
CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...
CVE-2026-30842
Wallos, an open-source self-hosted personal subscription tracker, has a vulnerability prior to version 4.6.2 where an authenticated user can delete avatar files uploaded by other users because the avatar deletion endpoint does not verify ownership. The issue is fixed in version 4.6.2. Affected: W...
CVE-2026-30842
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...
CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...
EUVD-2026-10121
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...
CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...
CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...
CVE-2026-30841
CVE-2026-30841 affects Wallos prior to version 4.6.2. The vulnerability is a reflected XSS in passwordreset.php where $_GET["token"] and $_GET["email"] are echoed directly into HTML input value attributes without htmlspecialchars(), allowing an attacker to break out of the attribute context. The ...
CVE-2026-30840
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...
CVE-2026-30840
CVE-2026-30840 affects Wallos prior to version 4.6.2, where a server-side request forgery (SSRF) vulnerability exists in notification testers. The issue has been patched in 4.6.2. According to the advisory metrics, the vulnerability is high risk (CVSSv3.0: 8.8), with network attack vector, low at...
CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...
CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...
EUVD-2026-10120
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...
CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...
CVE-2026-30839 Wallos: SSRF via webhook test endpoint
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...
CVE-2026-30839
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...
CVE-2026-30839 Wallos: SSRF via webhook test endpoint
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...