CVE-2026-30841 MEDIUM

CVE-2026-30841: Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

Vendor Ellite

Product Wallos

Weakness CWE-79 · XSS

Published March 7, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.

Key dates

Disclosure timeline

March 7, 2026 CVE published

March 9, 2026 Record updated