CVE-2026-33417

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.7.2

Description Wallos is a personal subscription tracker that allows self-hosting and is open-source. Prior to version 4.7.2, password reset tokens did not expire. The password resets table contains a created at timestamp, but the token validation logic does not verify it. This allows an attacker who intercepts a password reset link to use it indefinitely, even days, weeks, or months after it was initially sent.

Recommendations Update to version 4.7.2 or later.