CVE-2026-33400— Wallos: Stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33400
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wallos: Stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wallos 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wallos是Miguel Ribeiro个人开发者的一个开源个人订阅跟踪器。 Wallos 4.7.0之前版本存在跨站脚本漏洞,该漏洞源于支付方式重命名端点存在存储型跨站脚本,可能导致任何经过身份验证的用户注入任意JavaScript,并在任何用户访问设置、订阅或统计页面时执行,结合缺少HttpOnly标志的wallos_login认证cookie,可能导致完整会话劫持。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33400
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33400
请登录查看更多情报信息。
Same Patch Batch · ellite · 2026-03-24 · 5 CVEs total
| CVE-2026-33399 | 7.7 HIGH | Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840 |
| CVE-2026-33417 | 6.5 MEDIUM | Wallos: Password Reset Tokens Never Expire |
| CVE-2026-33401 | Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass s | |
| CVE-2026-33407 | Wallos: SSRF via HTTP Proxy Environment Variable |
IV. Related Vulnerabilities
Same product: Wallos
- CVE-2026-41689
Wallos: Shared local webhook allowlist lets low-privilege us - CVE-2026-41688
Incomplete fix for CVE-2026-33399: SSRF in Wallos - CVE-2026-41687
Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL - CVE-2026-33417
Wallos: Password Reset Tokens Never Expire - CVE-2026-33401
Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and n
Same vendor: ellite
- CVE-2026-41689
Wallos: Shared local webhook allowlist lets low-privilege us - CVE-2026-41688
Incomplete fix for CVE-2026-33399: SSRF in Wallos - CVE-2026-41687
Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL - CVE-2026-33417
Wallos: Password Reset Tokens Never Expire - CVE-2026-33401
Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and n
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-33400
No comments yet