VYPR
Unrated severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026

Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

CVE-2026-30841

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.

Affected products

2
  • Ellite/Wallosllm-fuzzy2 versions
    <4.6.2+ 1 more
    • (no CPE)range: <4.6.2
    • (no CPE)range: < 4.6.2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.