Wallosapp Wallos vulnerabilities
16 known vulnerabilities affecting wallosapp/wallos.
Total CVEs
16
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH6MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2024-55372P2CRITICALCVSS 9.8≤ 2.38.22025-04-16
CVE-2024-55372 [CRITICAL] CWE-73 CVE-2024-55372: Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unaut
Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unauthenticated attacker to upload malicious files to the server. Once a web shell is installed, the
nvd
CVE-2024-55371P2CRITICALCVSS 9.8≤ 2.38.22025-04-16
CVE-2024-55371 [CRITICAL] CWE-73 CVE-2024-55371: Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authen
Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authenticated attacker (being an administrator is not required) to upload malicious files to the server.
nvd
CVE-2026-33407P3CRITICALCVSS 9.1fixed in 4.7.02026-03-24
CVE-2026-33407 [CRITICAL] CWE-918 CVE-2026-33407: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallo
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to tr
nvd
CVE-2026-30840P3HIGHCVSS 8.8fixed in 4.6.22026-03-07
CVE-2026-30840 [HIGH] CWE-295 CVE-2026-30840: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
nvd
CVE-2026-27479P3HIGHCVSS 7.7fixed in 4.6.12026-02-21
CVE-2026-27479 [HIGH] CWE-918 CVE-2026-27479: Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below cont
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCAT
nvd
CVE-2024-29320P3HIGHCVSS 8.1fixed in 1.15.32024-04-30
CVE-2024-29320 [HIGH] CWE-89 CVE-2024-29320: Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subs
Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php.
nvd
CVE-2026-33399P3HIGHCVSS 7.7fixed in 4.7.02026-03-24
CVE-2026-33399 [HIGH] CWE-918 CVE-2026-33399: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the S
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can sa
nvd
CVE-2026-30828P3HIGHCVSS 7.5fixed in 4.6.22026-03-07
CVE-2026-30828 [HIGH] CWE-22 CVE-2026-30828: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the u
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
nvd
CVE-2026-33401P3MEDIUMCVSS 6.5fixed in 4.7.02026-03-24
CVE-2026-33401 [MEDIUM] CVE-2026-33401: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the p
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An a
nvd
CVE-2026-33417P3HIGHCVSS 7.1fixed in 4.7.22026-03-24
CVE-2026-33417 [HIGH] CWE-613 CVE-2026-33417: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, passw
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who inter
nvd
CVE-2026-30841P4MEDIUMCVSS 6.1fixed in 4.6.22026-03-07
CVE-2026-30841 [MEDIUM] CWE-79 CVE-2026-30841: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passw
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using and without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.
nvd
CVE-2026-33400P4MEDIUMCVSS 5.4fixed in 4.7.02026-03-24
CVE-2026-33400 [MEDIUM] CWE-79 CVE-2026-33400: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a sto
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallo
nvd
CVE-2026-30839P4MEDIUMCVSS 4.3fixed in 4.6.22026-03-07
CVE-2026-30839 [MEDIUM] CWE-918 CVE-2026-30839: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testw
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.
nvd
CVE-2026-30842P4MEDIUMCVSS 4.3fixed in 4.6.22026-03-07
CVE-2026-30842 [MEDIUM] CWE-862 CVE-2026-30842: Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallo
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another us
nvd
CVE-2024-57386P4MEDIUMCVSS 6.1v2.41.02025-01-23
CVE-2024-57386 [MEDIUM] CWE-79 CVE-2024-57386: Cross Site Scripting vulnerability in Wallos v.2.41.0 allows a remote attacker to execute arbitrary
Cross Site Scripting vulnerability in Wallos v.2.41.0 allows a remote attacker to execute arbitrary code via the profile picture function.
nvd
CVE-2024-22776P4MEDIUMCVSS 4.7≥ 0.9, < 1.2.32024-02-23
CVE-2024-22776 [MEDIUM] CWE-79 CVE-2024-22776: Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper
Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper validation, excluding those requiring specific formats like date fields.
nvd