Tunelko

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate webhook url for ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.

**Name of the Vulnerable Software and Affected Versions** Wallos versions prior to 4.7.0 **Description** A stored cross-site scripting (XSS) flaw exists in the payment method rename endpoint. This allows any authenticated user to inject arbitrary JavaScript code that will execute when other users access the Settings, Subscriptions, or Statistics pages. The `wallos login` authentication cookie does not have the HttpOnly flag set, which enables full session hijacking when combined with the XSS flaw. The API endpoint affected is the payment method rename endpoint. The vulnerable component is the functionality that handles renaming payment methods. **Recommendations** Update to version 4.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** Wallos versions prior to 4.7.2 **Description** Wallos is a personal subscription tracker that allows self-hosting and is open-source. Prior to version 4.7.2, password reset tokens did not expire. The `password resets` table contains a `created at` timestamp, but the token validation logic does not verify it. This allows an attacker who intercepts a password reset link to use it indefinitely, even days, weeks, or months after it was initially sent. **Recommendations** Update to version 4.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** solidtime versions prior to 0.11.6 **Description** The application is an open-source time-tracking app. A flaw exists in the project detail endpoint, allowing authenticated employees to access any project within an organization using its UUID, including private projects where they are not members. The `index()` endpoint correctly enforces access control using the `visibleByEmployee()` scope, but the `show()` endpoint does not. The vulnerable API endpoint is `GET /api/v1/organizations/{org}/projects/{project}`. The vulnerable parameter is `project`. **Recommendations** Update to version 0.11.6 or later.