Every CVE whose affected-product data names Wallosapp Wallos, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (16)
CVE-2024-55372 — CVSS 9.8 (critical): Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by…
CVE-2024-55371 — CVSS 9.8 (critical): Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by…
CVE-2026-33407 — CVSS 9.1 (critical): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts…
CVE-2026-30840 — CVSS 8.8 (high): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery…
CVE-2024-29320 — CVSS 8.1 (high): Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php.
CVE-2026-27479 — CVSS 7.7 (high): Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery…
CVE-2026-33399 — CVSS 7.7 (high): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for…
CVE-2026-30828 — CVSS 7.5 (high): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve…
CVE-2026-33417 — CVSS 6.5 (medium): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never…
CVE-2026-33401 — CVSS 6.5 (medium): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591…
CVE-2024-57386 — CVSS 6.1 (medium): Cross Site Scripting vulnerability in Wallos v.2.41.0 allows a remote attacker to execute arbitrary code via the profile picture function.
CVE-2026-30841 — CVSS 6.1 (medium): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and…
CVE-2026-33400 — CVSS 5.4 (medium): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS)…
CVE-2024-22776 — CVSS 4.7 (medium): Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper validation, excluding those requiring…
CVE-2026-30842 — CVSS 4.3 (medium): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to…
CVE-2026-30839 — CVSS 4.3 (medium): Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not…