CVE-2026-33417

EUVD-2026-14967

24.03.2026, 19:16

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
GitHub_M	CNA	6.5 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
wallosapp	wallos	𝑥 < 4.7.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf

Common Weakness Enumeration

CWE-613 - Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb

https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf