Lucene search
K
WallosappWallos

16 matches found

CVE
CVE
added 2024/02/23 12:0 a.m.4144 views

CVE-2024-22776

Wallos 0.9 is affected by a Cross Site Scripting (XSS) vulnerability in all text-based input fields, due to insufficient input validation (fields excluding those with specific formats like dates). The vulnerability is reported across multiple sources (NVD/Red Hat/CVE records and third-party catal...

4.7CVSS5.9AI score0.00474EPSS
CVE
CVE
added 2025/01/23 12:0 a.m.66 views

CVE-2024-57386

CVE-2024-57386 affects Wallos v2.41.0. A Cross Site Scripting vulnerability in the profile picture function allows a remote attacker to execute arbitrary code. The issue is documented across multiple sources (NVD, Red Hat, OSV, CNNVD, etc.). Exploitation vectors are not detailed beyond the profil...

6.1CVSS7.5AI score0.00444EPSS
CVE
CVE
added 2025/04/16 12:0 a.m.65 views

CVE-2024-55372

CVE-2024-55372 concerns Wallos

9.8CVSS7.7AI score0.00554EPSS
CVE
CVE
added 2024/04/30 12:0 a.m.63 views

CVE-2024-29320

Wallos is affected by a SQL injection in versions prior to 1.15.3. The vulnerability stems from unsanitized input in the category and payment parameters to /subscriptions/get.php, enabling potentially unauthorized data access. Affected product: Wallos (open source personal subscription tracker); ...

8.1CVSS8AI score0.00673EPSS
Web
CVE
CVE
added 2025/04/16 12:0 a.m.60 views

CVE-2024-55371

CVE-2024-55371 concerns Wallos

9.8CVSS7.3AI score0.00538EPSS
CVE
CVE
added 2026/02/21 8:15 a.m.23 views

CVE-2026-27479

CVE-2026-27479 affects Wallos versions ≤ 4.6.0, where a SSRF issue arises in the logo/icon URL fetch. The application validates the target URL’s IP, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true) and follows up to 3 redirects, bypassing the initial IP check and enabling access to inter...

7.7CVSS5.6AI score0.00307EPSS
CVE
CVE
added 2026/03/07 5:29 a.m.21 views

CVE-2026-30839

CVE-2026-30839 affects Wallos prior to version 4.6.2. The issue in testwebhooknotifications.php allows full-read SSRF because the target URL is not validated against private/reserved IP ranges; the server response is returned to the caller. This vulnerability is mitigated in 4.6.2 (patch released...

5.3CVSS5.7AI score0.00331EPSS
CVE
CVE
added 2026/03/07 5:41 a.m.19 views

CVE-2026-30842

Wallos, an open-source self-hosted personal subscription tracker, has a vulnerability prior to version 4.6.2 where an authenticated user can delete avatar files uploaded by other users because the avatar deletion endpoint does not verify ownership. The issue is fixed in version 4.6.2. Affected: W...

4.3CVSS5.8AI score0.00297EPSS
CVE
CVE
added 2026/03/07 5:27 a.m.18 views

CVE-2026-30828

CVE-2026-30828 affects Wallos prior to version 4.6.2, where the url parameter can be used to retrieve local system files. The issue has been patched in 4.6.2. Reported CVSS 4.0/8.7 (HIGH) with network attack vector, low complexity and no user interaction required; impact is limited to confidentia...

8.7CVSS5.7AI score0.00533EPSS
CVE
CVE
added 2026/03/07 5:40 a.m.18 views

CVE-2026-30841

CVE-2026-30841 affects Wallos prior to version 4.6.2. The vulnerability is a reflected XSS in passwordreset.php where $_GET["token"] and $_GET["email"] are echoed directly into HTML input value attributes without htmlspecialchars(), allowing an attacker to break out of the attribute context. The ...

6.9CVSS5.7AI score0.00283EPSS
CVE
CVE
added 2026/03/24 5:45 p.m.16 views

CVE-2026-33400

CVE-2026-33400 affects Wallos, an open-source self-hosted personal subscription tracker. Prior to version 4.7.0, a stored XSS vulnerability existed in the payment method rename endpoint, allowing any authenticated user to inject arbitrary JavaScript that runs when users visit Settings, Subscripti...

5.4CVSS5.7AI score0.00193EPSS
CVE
CVE
added 2026/03/24 5:58 p.m.14 views

CVE-2026-33401

CVE-2026-33401 concerns Wallos, an open-source personal subscription tracker. Before 4.7.0, an incomplete SSRF fix allowed an authenticated user to reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by crafting URLs exposed to the ...

7.1CVSS7.2AI score0.00283EPSS
CVE
CVE
added 2026/03/24 5:43 p.m.13 views

CVE-2026-33399

CVE-2026-33399 / CVE-2026-33401 (Wallos): Open-source personal subscription tracker with SSRF flaws that were partially patched in version 4.7.0. The issues arise from incomplete SSRF mitigation: while 4.6.2 added protection to some notification endpoints, it did not cover all save/test paths, en...

7.7CVSS7.2AI score0.00282EPSS
CVE
CVE
added 2026/03/07 5:39 a.m.12 views

CVE-2026-30840

CVE-2026-30840 affects Wallos prior to version 4.6.2, where a server-side request forgery (SSRF) vulnerability exists in notification testers. The issue has been patched in 4.6.2. According to the advisory metrics, the vulnerability is high risk (CVSSv3.0: 8.8), with network attack vector, low at...

8.8CVSS5.7AI score0.00497EPSS
CVE
CVE
added 2026/03/24 5:40 p.m.12 views

CVE-2026-33407

Wallos

9.1CVSS5.8AI score0.00369EPSS
CVE
CVE
added 2026/03/24 6:1 p.m.10 views

CVE-2026-33417

Wallos is an open-source self-hosted personal subscription tracker. Multiple sources confirm a vulnerability in versions prior to 4.7.2 where password reset tokens never expire because the token validation logic does not check the token’s created_at timestamp in the password_resets table. The con...

7.1CVSS5.7AI score0.00264EPSS