← Zuruck zu CVEs
CVE-2026-30842
MEDIUM4.3
Beschreibung
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.
CVE Details
CVSS v3.1 Bewertung4.3
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht3/7/2026
Zuletzt geandert3/11/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
wallosapp:wallos
Schwachen (CWE)
CWE-862
Referenzen
https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d(security-advisories@github.com)
https://github.com/ellite/Wallos/releases/tag/v4.6.2(security-advisories@github.com)
https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.