CVE-2026-30828

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d	Patch
https://github.com/ellite/Wallos/releases/tag/v4.6.2	Release Notes
https://github.com/ellite/Wallos/security/advisories/GHSA-p7qj-669r-grvc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*

History

11 Mar 2026, 18:59

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Wallosapp wallos Wallosapp
References	~~() https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d -~~	() https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d - Patch
References	~~() https://github.com/ellite/Wallos/releases/tag/v4.6.2 -~~	() https://github.com/ellite/Wallos/releases/tag/v4.6.2 - Release Notes
References	~~() https://github.com/ellite/Wallos/security/advisories/GHSA-p7qj-669r-grvc -~~	() https://github.com/ellite/Wallos/security/advisories/GHSA-p7qj-669r-grvc - Exploit, Vendor Advisory
Summary		(es) Wallos es un rastreador de suscripciones personal de código abierto y autoalojable. Antes de la versión 4.6.2, el parámetro url podía ser utilizado para recuperar archivos del sistema local. Este problema ha sido parcheado en la versión 4.6.2.
CPE		cpe:2.3:a:wallosapp:wallos::::::::

07 Mar 2026, 06:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 06:16

Updated : 2026-03-11 18:59

NVD link : CVE-2026-30828

Mitre link : CVE-2026-30828

CVE.ORG link : CVE-2026-30828

JSON object : View

Products Affected

wallosapp

wallos

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-29

Path Traversal: '\..\filename'

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-30828", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-07T06:16:10.720", "references": [{"url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-p7qj-669r-grvc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-29"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.6.2, el par\u00e1metro url pod\u00eda ser utilizado para recuperar archivos del sistema local. Este problema ha sido parcheado en la versi\u00f3n 4.6.2."}], "lastModified": "2026-03-11T18:59:07.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0369A77F-C023-4EE5-873B-7466F873A8A9", "versionEndExcluding": "4.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}