CVE-2026-30842

Medium CVSS: 4.3

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.

Vendor

Wallosapp

Product

Wallos

CWE

CWE-862

Yayın Tarihi

2026-03-07 06:16:11

Güncelleme

2026-03-11 18:06:58

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-862 Wallos MEDIUM Wallosapp 2026

Referanslar

https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d https://github.com/ellite/Wallos/releases/tag/v4.6.2 https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r

Benzer Kayıtlar

Medium

CVE-2026-33417

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in…

High

CVE-2026-33399

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in v…

Medium

CVE-2026-33400

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scrip…

High

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in c…

High

CVE-2026-33407

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/se…

Medium

CVE-2026-30839

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.…