What is CVE-2026-30842?

CVE-2026-30842 is a medium-severity vulnerability in Ellite Wallos, classified under Missing Authorization. CVSS score: 4.3/10. Published 2026-03-07.

How severe is CVE-2026-30842?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Auth bypass in Ellite Wallos

CVE-2026-30842

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the reques…

Vulnerability class: Broken Access Control

EPSS: 0.000 (2.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Affected products

Ellite Wallos — versions < 4.6.2

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r (x_refsource_CONFIRM)
https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d (x_refsource_MISC)
https://github.com/ellite/Wallos/releases/tag/v4.6.2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-30842?: CVE-2026-30842 is a medium-severity vulnerability in Ellite Wallos, classified under Missing Authorization. CVSS score: 4.3/10. Published 2026-03-07.
How severe is CVE-2026-30842?: Medium severity. CVSS v3 base score is 4.3 out of 10.