16 matches found
CVE-2024-22776
Wallos 0.9 is affected by a Cross Site Scripting (XSS) vulnerability in all text-based input fields, due to insufficient input validation (fields excluding those with specific formats like dates). The vulnerability is reported across multiple sources (NVD/Red Hat/CVE records and third-party catal...
CVE-2024-57386
CVE-2024-57386 affects Wallos v2.41.0. A Cross Site Scripting vulnerability in the profile picture function allows a remote attacker to execute arbitrary code. The issue is documented across multiple sources (NVD, Red Hat, OSV, CNNVD, etc.). Exploitation vectors are not detailed beyond the profil...
CVE-2024-55372
CVE-2024-55372 concerns Wallos
CVE-2024-29320
Wallos is affected by a SQL injection in versions prior to 1.15.3. The vulnerability stems from unsanitized input in the category and payment parameters to /subscriptions/get.php, enabling potentially unauthorized data access. Affected product: Wallos (open source personal subscription tracker); ...
CVE-2024-55371
CVE-2024-55371 concerns Wallos
CVE-2026-27479
CVE-2026-27479 affects Wallos versions ≤ 4.6.0, where a SSRF issue arises in the logo/icon URL fetch. The application validates the target URL’s IP, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true) and follows up to 3 redirects, bypassing the initial IP check and enabling access to inter...
CVE-2026-30839
CVE-2026-30839 affects Wallos prior to version 4.6.2. The issue in testwebhooknotifications.php allows full-read SSRF because the target URL is not validated against private/reserved IP ranges; the server response is returned to the caller. This vulnerability is mitigated in 4.6.2 (patch released...
CVE-2026-30842
Wallos, an open-source self-hosted personal subscription tracker, has a vulnerability prior to version 4.6.2 where an authenticated user can delete avatar files uploaded by other users because the avatar deletion endpoint does not verify ownership. The issue is fixed in version 4.6.2. Affected: W...
CVE-2026-30828
CVE-2026-30828 affects Wallos prior to version 4.6.2, where the url parameter can be used to retrieve local system files. The issue has been patched in 4.6.2. Reported CVSS 4.0/8.7 (HIGH) with network attack vector, low complexity and no user interaction required; impact is limited to confidentia...
CVE-2026-30841
CVE-2026-30841 affects Wallos prior to version 4.6.2. The vulnerability is a reflected XSS in passwordreset.php where $_GET["token"] and $_GET["email"] are echoed directly into HTML input value attributes without htmlspecialchars(), allowing an attacker to break out of the attribute context. The ...
CVE-2026-33400
CVE-2026-33400 affects Wallos, an open-source self-hosted personal subscription tracker. Prior to version 4.7.0, a stored XSS vulnerability existed in the payment method rename endpoint, allowing any authenticated user to inject arbitrary JavaScript that runs when users visit Settings, Subscripti...
CVE-2026-33401
CVE-2026-33401 concerns Wallos, an open-source personal subscription tracker. Before 4.7.0, an incomplete SSRF fix allowed an authenticated user to reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by crafting URLs exposed to the ...
CVE-2026-33399
CVE-2026-33399 / CVE-2026-33401 (Wallos): Open-source personal subscription tracker with SSRF flaws that were partially patched in version 4.7.0. The issues arise from incomplete SSRF mitigation: while 4.6.2 added protection to some notification endpoints, it did not cover all save/test paths, en...
CVE-2026-30840
CVE-2026-30840 affects Wallos prior to version 4.6.2, where a server-side request forgery (SSRF) vulnerability exists in notification testers. The issue has been patched in 4.6.2. According to the advisory metrics, the vulnerability is high risk (CVSSv3.0: 8.8), with network attack vector, low at...
CVE-2026-33407
Wallos
CVE-2026-33417
Wallos is an open-source self-hosted personal subscription tracker. Multiple sources confirm a vulnerability in versions prior to 4.7.2 where password reset tokens never expire because the token validation logic does not check the token’s created_at timestamp in the password_resets table. The con...