Lucene search
+L

151 matches found

NVD
NVD
added 2026/03/07 6:16 a.m.7 views

CVE-2026-30842

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

4.3CVSS0.00297EPSS
Exploits1References3
NVD
NVD
added 2026/03/07 6:16 a.m.15 views

CVE-2026-30828

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2...

8.7CVSS0.00533EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/07 5:41 a.m.5 views

CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

4.3CVSS5.8AI score0.00297EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/07 5:41 a.m.30 views

CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

4.3CVSS0.00297EPSS
Exploits1References3
CVE
CVE
added 2026/03/07 5:41 a.m.22 views

CVE-2026-30842

Wallos, an open-source self-hosted personal subscription tracker, has a vulnerability prior to version 4.6.2 where an authenticated user can delete avatar files uploaded by other users because the avatar deletion endpoint does not verify ownership. The issue is fixed in version 4.6.2. Affected: W...

4.3CVSS5.8AI score0.00297EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/07 5:41 a.m.4 views

CVE-2026-30842

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

4.3CVSS5.8AI score0.00297EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/07 5:41 a.m.3 views

CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

4.3CVSS5.8AI score0.00297EPSS
Exploits1References5
EUVD
EUVD
added 2026/03/07 5:40 a.m.9 views

EUVD-2026-10121

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

6.9CVSS5.7AI score0.00283EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/07 5:40 a.m.2 views

CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

6.9CVSS5.7AI score0.00283EPSS
Exploits1References3
OSV
OSV
added 2026/03/07 5:40 a.m.5 views

CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

6.9CVSS5.7AI score0.00283EPSS
Exploits1References5
CVE
CVE
added 2026/03/07 5:40 a.m.19 views

CVE-2026-30841

CVE-2026-30841 affects Wallos prior to version 4.6.2. The vulnerability is a reflected XSS in passwordreset.php where $_GET["token"] and $_GET["email"] are echoed directly into HTML input value attributes without htmlspecialchars(), allowing an attacker to break out of the attribute context. The ...

6.9CVSS5.7AI score0.00283EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/07 5:39 a.m.5 views

CVE-2026-30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

8.8CVSS5.7AI score0.00497EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/03/07 5:39 a.m.13 views

CVE-2026-30840

CVE-2026-30840 affects Wallos prior to version 4.6.2, where a server-side request forgery (SSRF) vulnerability exists in notification testers. The issue has been patched in 4.6.2. According to the advisory metrics, the vulnerability is high risk (CVSSv3.0: 8.8), with network attack vector, low at...

8.8CVSS5.7AI score0.00497EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/07 5:39 a.m.0 views

CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

8.8CVSS5.7AI score0.00497EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/07 5:39 a.m.30 views

CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

8.8CVSS0.00497EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/07 5:39 a.m.6 views

EUVD-2026-10120

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

8.8CVSS5.7AI score0.00497EPSS
Exploits1References3
OSV
OSV
added 2026/03/07 5:39 a.m.3 views

CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

8.8CVSS5.7AI score0.00497EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/03/07 5:29 a.m.29 views

CVE-2026-30839 Wallos: SSRF via webhook test endpoint

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...

5.3CVSS0.00331EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/07 5:29 a.m.6 views

CVE-2026-30839

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...

5.3CVSS5.7AI score0.00331EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/07 5:29 a.m.5 views

CVE-2026-30839 Wallos: SSRF via webhook test endpoint

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...

5.3CVSS5.7AI score0.00331EPSS
Exploits1References5
Rows per page
Query Builder