CVE-2026-33417

Medium CVSS: 6.5

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.

Vendor

Wallosapp

Product

Wallos

CWE

CWE-613

Yayın Tarihi

2026-03-24 19:16:53

Güncelleme

2026-03-26 20:59:31

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-613 Wallos MEDIUM Wallosapp 2026

Referanslar

https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf

Benzer Kayıtlar

High

CVE-2026-33399

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in v…

Medium

CVE-2026-33400

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scrip…

High

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in c…

High

CVE-2026-33407

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/se…

Medium

CVE-2026-30839

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.…

High

CVE-2026-30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side re…