CVE-2026-30828
HIGH WAF: High
CVSS 7.5
Published: 2026-03-07
CWE-22 CWE-918
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| wallosapp | wallos | up to 4.6.2 |
References
- github.com (Patch)
- github.com (Release Notes)
- github.com (Exploit, Vendor Advisory)