Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.
Published: 2026-03-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS in password reset fields can lead to client‑side script execution.
Action: Patch Now
AI Analysis

Impact

The vulnerability occurs when passwordreset.php outputs the token and email GET parameters directly into HTML input attributes without escaping, enabling an attacker to inject JavaScript that will execute in the victim’s browser. The flaw is a reflected Cross‑Site Scripting weakness identified as CWE‑79.

Affected Systems

Wallos, an open‑source personal subscription tracker by ellite, is affected in all releases prior to version 4.6.2. The issue was fixed in the 4.6.2 release and later. Users running older versions should verify their build and apply the update.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score of less than 1% suggests a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via a crafted link to the password reset page; no authentication or local access is required, making the attack vector inferred from the description.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Wallos 4.6.2 or later.
  • If an upgrade cannot be performed immediately, modify passwordreset.php to escape the token and email parameters with htmlspecialchars() before rendering them.
  • Deploy WAF rules or content‑security‑policy headers to block or mitigate reflective XSS payloads targeting the password reset endpoint.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.
Title Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:24:17.496Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30841

cve-icon Vulnrichment

Updated: 2026-03-09T20:18:51.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:11.610

Modified: 2026-03-11T18:08:36.453

Link: CVE-2026-30841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses