Vulnerability Details CVE-2026-30841
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.4%
CVSS Severity