CVE-2026-30841

MEDIUM

Wallos <4.6.2 - XSS

Title source: llm

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.

References (3)

Scores

CVSS v3 6.1
EPSS 0.0001
EPSS Percentile 2.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
wallosapp/wallos < 4.6.2
Published Mar 07, 2026
Tracked Since Mar 07, 2026