cbcvebase.
CVE-2026-30842
published 2026-03-07

CVE-2026-30842: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files…

PriorityP424medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.30%
21.3th percentile
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
ellitewallos< 4.6.24.6.2
wallosappwallos< 4.6.24.6.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.