CVE-2026-30841
Received Received - Intake
Reflected XSS in Wallos Password Reset Input Fields

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30841
EUVD
EUVD-2026-10121
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wallosapp wallos to 4.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30841 is a reflected Cross-Site Scripting (XSS) vulnerability in the Wallos package, specifically in the passwordreset.php script.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the script outputs the "token" and "email" parameters received via GET or POST requests directly into HTML input value attributes without proper sanitization or escaping.'}, {'type': 'paragraph', 'content': 'This is done using PHP short tags like <?= $token ?> and <?= $email ?> without calling functions such as htmlspecialchars(), which would encode special characters.'}, {'type': 'paragraph', 'content': 'As a result, an attacker can inject malicious scripts by breaking out of the attribute context, causing arbitrary JavaScript to execute when the page is rendered.'}, {'type': 'paragraph', 'content': 'For example, injecting a payload like <input type="hidden" name="email" value=""><img src=x onerror=alert(document.cookie)> can trigger script execution.'}, {'type': 'paragraph', 'content': 'The issue is worsened by the absence of a Content-Security-Policy (CSP) header, which would otherwise restrict script execution.'}, {'type': 'paragraph', 'content': 'Additionally, when SMTP is not configured, the script redirects but fails to stop execution, still sending the vulnerable response body to the client.'}, {'type': 'paragraph', 'content': 'The recommended fix is to properly escape these parameters using htmlspecialchars() with ENT_QUOTES and UTF-8 encoding to safely encode special characters within HTML attributes.'}] [1]

Impact Analysis

This reflected XSS vulnerability can allow attackers to execute arbitrary JavaScript in the context of the affected website.

  • Steal user session cookies or authentication tokens.
  • Perform actions on behalf of the user without their consent.
  • Deface the website or redirect users to malicious sites.
  • Harvest sensitive information entered by users.

Because the vulnerability is in a password reset page, it could be used to trick users into executing malicious scripts during account recovery processes.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the passwordreset.php page for reflected Cross-Site Scripting (XSS) by injecting payloads into the "token" and "email" GET or POST parameters and observing if the input is unsanitized and reflected in the HTML input value attributes.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or a browser to send a request with a malicious payload in the email parameter like:'}, {'type': 'list_item', 'content': 'curl -G --data-urlencode "email=\\"\\><img src=x onerror=alert(document.cookie)>" "http://your-wallos-instance/passwordreset.php"'}, {'type': 'paragraph', 'content': 'If the response HTML contains the injected script without proper escaping (i.e., the payload is reflected inside the value attribute without htmlspecialchars), the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, checking the source code of passwordreset.php for the presence of unescaped output of $_GET["token"] and $_GET["email"] in input value attributes can confirm the vulnerability.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation is to patch the code to properly escape the "token" and "email" parameters before outputting them into HTML input value attributes.'}, {'type': 'paragraph', 'content': 'Specifically, modify the passwordreset.php file to use htmlspecialchars() with ENT_QUOTES and UTF-8 encoding as follows:'}, {'type': 'list_item', 'content': '<input type="hidden" name="token" value="<?= htmlspecialchars($token, ENT_QUOTES, \'UTF-8\') ?>">'}, {'type': 'list_item', 'content': '<input type="hidden" name="email" value="<?= htmlspecialchars($email, ENT_QUOTES, \'UTF-8\') ?>">'}, {'type': 'paragraph', 'content': 'This ensures that special characters are safely encoded and prevents script injection.'}, {'type': 'paragraph', 'content': 'Also, ensure that any redirects after SMTP failures call exit() to prevent the response body containing injected scripts from being sent.'}, {'type': 'paragraph', 'content': 'If patching immediately is not possible, consider implementing a Content-Security-Policy (CSP) header to restrict script execution as a temporary mitigation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart