Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0.
Published: 2026-03-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to session hijacking
Action: Immediate Patch
AI Analysis

Impact

Wallos is an open‑source, self‑hosted personal subscription tracker. A stored cross‑site scripting flaw exists in the payment method rename endpoint that allows any authenticated user to inject arbitrary JavaScript. The injected code runs when other users visit Settings, Subscriptions, or Statistics pages, giving the attacker the ability to steal or manipulate session data. Combined with the wallos_login cookie lacking the HttpOnly flag, successful exploitation can lead to full session hijacking.

Affected Systems

The vulnerability affects all versions of ellite:Wallos, specifically the Wallos application, before version 4.7.0. Users of any earlier release are exposed. No specific sub‑versions are listed.

Risk and Exploitability

The flaw has a CVSS v3 score of 5.4, placing it in the moderate range, and an EPSS score of less than 1 %, indicating a low probability of exploitation. The vulnerability requires an authenticated user to trigger the rename action, so only users with valid credentials can exploit it. Because the injected code executes in another user's browser, legacy JavaScript could harvest the session cookie. The combination of stored XSS and a non‑HttpOnly authentication cookie enables complete session hijacking. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on March 26, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.7.0 or later to remove the XSS flaw.
  • Configure the web server to set the HttpOnly flag on the wallos_login cookie to prevent JavaScript access to session data.
  • If an upgrade is not immediately possible, restrict or revoke the ability of users to rename payment methods to limit the attack surface.
  • Monitor for anomalous client‑side script activity and review logs for attempts to inject code.

Generated by OpenCVE AI on March 26, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0.
Title Wallos: Stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T20:21:38.544Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33400

cve-icon Vulnrichment

Updated: 2026-03-24T20:21:32.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:11.310

Modified: 2026-03-26T20:39:08.093

Link: CVE-2026-33400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:50Z

Weaknesses