PT-2026-27469 · Wallos · Wallos
Tunelko
·
Published
2026-03-24
·
Updated
2026-03-24
·
CVE-2026-33400
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Wallos versions prior to 4.7.0
Description
A stored cross-site scripting (XSS) flaw exists in the payment method rename endpoint. This allows any authenticated user to inject arbitrary JavaScript code that will execute when other users access the Settings, Subscriptions, or Statistics pages. The
wallos login authentication cookie does not have the HttpOnly flag set, which enables full session hijacking when combined with the XSS flaw. The API endpoint affected is the payment method rename endpoint. The vulnerable component is the functionality that handles renaming payment methods.Recommendations
Update to version 4.7.0 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wallos