Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endp
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_w
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authen
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without valida
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enablin
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upl
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40)
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion e
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes usi
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp c
Cross Site Scripting vulnerability in Wallos v.2.41.0 allows a remote attacker to execute arbitrary code via the profile picture function.
Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/user
Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extra
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead,
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external
Page 1+ Next →