{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30841", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-07T05:40:58.767Z", "dateUpdated": "2026-03-09T20:24:17.496Z"}, "containers": {"cna": {"title": "Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-75hc-fc26-9797", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-75hc-fc26-9797"}, {"name": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d"}, {"name": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2"}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"version": "< 4.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:40:58.767Z"}, "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET[\"token\"] and $_GET[\"email\"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2."}], "source": {"advisory": "GHSA-75hc-fc26-9797", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30841", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:16:31.459830Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:24:17.496Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30841", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:16:31.459830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:18:51.363Z"}}], "cna": {"title": "Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php", "source": {"advisory": "GHSA-75hc-fc26-9797", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"status": "affected", "version": "< 4.6.2"}]}], "references": [{"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-75hc-fc26-9797", "name": "https://github.com/ellite/Wallos/security/advisories/GHSA-75hc-fc26-9797", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "name": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "name": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET[\"token\"] and $_GET[\"email\"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:40:58.767Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30841", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:24:17.496Z", "dateReserved": "2026-03-05T21:06:44.606Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T05:40:58.767Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "matchCriteriaId": "0369A77F-C023-4EE5-873B-7466F873A8A9", "versionEndExcluding": "4.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET[\"token\"] and $_GET[\"email\"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personales de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.6.2, passwordreset.PHP muestra $_GET['token'] y $_GET['email'] directamente en los atributos de valor de entrada HTML usando y sin llamar a htmlspecialchars(). Esto permite XSS reflejado al salir del contexto del atributo. Este problema ha sido parcheado en la versi\u00f3n 4.6.2."}], "id": "CVE-2026-30841", "lastModified": "2026-03-11T18:08:36.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T06:16:11.610", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-75hc-fc26-9797"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Wallos", "source": "cna", "vendor": "ellite"}, "product": "wallos", "vendor": "ellite"}], "analysis": {"en": {"generated_at": "2026-04-17T12:14:18.477425+00:00", "value": {"mitigation_remediation": ["Update to Wallos 4.6.2 or later.", "If an upgrade cannot be performed immediately, modify passwordreset.php to escape the token and email parameters with htmlspecialchars() before rendering them.", "Deploy WAF rules or content\u2011security\u2011policy headers to block or mitigate reflective XSS payloads targeting the password reset endpoint."], "summary": {"action": "Patch Now", "impact": "Reflected XSS in password reset fields can lead to client\u2011side script execution."}, "threat_synthesis": {"affected_systems": "Wallos, an open\u2011source personal subscription tracker by ellite, is affected in all releases prior to version 4.6.2. The issue was fixed in the 4.6.2 release and later. Users running older versions should verify their build and apply the update.", "description_and_impact": "The vulnerability occurs when passwordreset.php outputs the token and email GET parameters directly into HTML input attributes without escaping, enabling an attacker to inject JavaScript that will execute in the victim\u2019s browser. The flaw is a reflected Cross\u2011Site Scripting weakness identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity. The EPSS score of less than 1% suggests a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via a crafted link to the password reset page; no authentication or local access is required, making the attack vector inferred from the description."}}}}, "created": "2026-03-09T10:05:50.286183+00:00", "updated": "2026-04-17T12:15:18.176654+00:00", "vendors": ["ellite", "ellite$PRODUCT$wallos"]}