Security Advisory

CVE-2026-30841

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-07 05:40:58

Last updated 2026-03-09 20:24:17

Assigner GitHub_M

State PUBLISHED

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.

← Browse all CVEs View on cve.org ↗