CVE-2026-33400

Published: Mar 24, 2026

Modified: Mar 24, 2026

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0.

Vendor	Product	Versions
ellite	Wallos	affected `< 4.7.0`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/ellite/Wallos/security/advisories/GHSA-p6v5-227f-f3fv

x_refsource_CONFIRM

https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33400

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References