CVE-2026-30842

{"id": "CVE-2026-30842", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-07T06:16:11.763", "references": [{"url": "https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ellite/Wallos/releases/tag/v4.6.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.6.2, Wallos permite a un usuario autenticado eliminar archivos de avatar subidos por otros usuarios. El endpoint de eliminaci\u00f3n de avatares no verifica que el avatar solicitado pertenezca al usuario actual. Como resultado, cualquier usuario autenticado que conozca o pueda descubrir el nombre de archivo del avatar subido de otro usuario puede eliminar ese archivo. Este problema ha sido parcheado en la versi\u00f3n 4.6.2."}], "lastModified": "2026-03-11T18:06:58.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0369A77F-C023-4EE5-873B-7466F873A8A9", "versionEndExcluding": "4.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}