CVE-2026-30842 MEDIUM

CVE-2026-30842: Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Vendor Ellite
Product Wallos
Weakness CWE-862 · Missing authorization
Published March 7, 2026
Last update March 10, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 10, 2026 Record updated