CVE-2026-33400

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.7.0

Description A stored cross-site scripting (XSS) flaw exists in the payment method rename endpoint. This allows any authenticated user to inject arbitrary JavaScript code that will execute when other users access the Settings, Subscriptions, or Statistics pages. The wallos login authentication cookie does not have the HttpOnly flag set, which enables full session hijacking when combined with the XSS flaw. The API endpoint affected is the payment method rename endpoint. The vulnerable component is the functionality that handles renaming payment methods.

Recommendations Update to version 4.7.0 or later.