Ellite Wallos
14 CVEs affecting Ellite Wallos. Latest disclosed: 2026-05-07. Critical: 0, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-30840 | High | 8.8 | 2026-03-07 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notifica… |
CVE-2026-41688 | High | 7.7 | 2026-05-07 | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs vi… |
CVE-2026-33399 | High | 7.7 | 2026-03-24 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE… |
CVE-2026-27479 | High | 7.7 | 2026-02-21 | Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in t… |
CVE-2026-33417 | Medium | 6.5 | 2026-03-24 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_reset… |
CVE-2026-41689 | Medium | 6.0 | 2026-05-07 | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-co… |
CVE-2026-33400 | Medium | 5.4 | 2026-03-24 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment… |
CVE-2026-41687 | Medium | 4.3 | 2026-05-07 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42)… |
CVE-2026-30842 | Medium | 4.3 | 2026-03-07 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploa… |
CVE-2026-33401 | | 2026-03-24 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added… | |
CVE-2026-33407 | | 2026-03-24 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_P… | |
CVE-2026-30841 | | 2026-03-07 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] dire… | |
CVE-2026-30839 | | 2026-03-07 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL ag… | |
CVE-2026-30828 | | 2026-03-07 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. Th… |