CVE-2026-30841
Reflected XSS in Wallos Password Reset Input Fields
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wallosapp | wallos | to 4.6.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30841 is a reflected Cross-Site Scripting (XSS) vulnerability in the Wallos package, specifically in the passwordreset.php script.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the script outputs the "token" and "email" parameters received via GET or POST requests directly into HTML input value attributes without proper sanitization or escaping.'}, {'type': 'paragraph', 'content': 'This is done using PHP short tags like <?= $token ?> and <?= $email ?> without calling functions such as htmlspecialchars(), which would encode special characters.'}, {'type': 'paragraph', 'content': 'As a result, an attacker can inject malicious scripts by breaking out of the attribute context, causing arbitrary JavaScript to execute when the page is rendered.'}, {'type': 'paragraph', 'content': 'For example, injecting a payload like <input type="hidden" name="email" value=""><img src=x onerror=alert(document.cookie)> can trigger script execution.'}, {'type': 'paragraph', 'content': 'The issue is worsened by the absence of a Content-Security-Policy (CSP) header, which would otherwise restrict script execution.'}, {'type': 'paragraph', 'content': 'Additionally, when SMTP is not configured, the script redirects but fails to stop execution, still sending the vulnerable response body to the client.'}, {'type': 'paragraph', 'content': 'The recommended fix is to properly escape these parameters using htmlspecialchars() with ENT_QUOTES and UTF-8 encoding to safely encode special characters within HTML attributes.'}] [1]
How can this vulnerability impact me? :
This reflected XSS vulnerability can allow attackers to execute arbitrary JavaScript in the context of the affected website.
- Steal user session cookies or authentication tokens.
- Perform actions on behalf of the user without their consent.
- Deface the website or redirect users to malicious sites.
- Harvest sensitive information entered by users.
Because the vulnerability is in a password reset page, it could be used to trick users into executing malicious scripts during account recovery processes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the passwordreset.php page for reflected Cross-Site Scripting (XSS) by injecting payloads into the "token" and "email" GET or POST parameters and observing if the input is unsanitized and reflected in the HTML input value attributes.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or a browser to send a request with a malicious payload in the email parameter like:'}, {'type': 'list_item', 'content': 'curl -G --data-urlencode "email=\\"\\><img src=x onerror=alert(document.cookie)>" "http://your-wallos-instance/passwordreset.php"'}, {'type': 'paragraph', 'content': 'If the response HTML contains the injected script without proper escaping (i.e., the payload is reflected inside the value attribute without htmlspecialchars), the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, checking the source code of passwordreset.php for the presence of unescaped output of $_GET["token"] and $_GET["email"] in input value attributes can confirm the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation is to patch the code to properly escape the "token" and "email" parameters before outputting them into HTML input value attributes.'}, {'type': 'paragraph', 'content': 'Specifically, modify the passwordreset.php file to use htmlspecialchars() with ENT_QUOTES and UTF-8 encoding as follows:'}, {'type': 'list_item', 'content': '<input type="hidden" name="token" value="<?= htmlspecialchars($token, ENT_QUOTES, \'UTF-8\') ?>">'}, {'type': 'list_item', 'content': '<input type="hidden" name="email" value="<?= htmlspecialchars($email, ENT_QUOTES, \'UTF-8\') ?>">'}, {'type': 'paragraph', 'content': 'This ensures that special characters are safely encoded and prevents script injection.'}, {'type': 'paragraph', 'content': 'Also, ensure that any redirects after SMTP failures call exit() to prevent the response body containing injected scripts from being sent.'}, {'type': 'paragraph', 'content': 'If patching immediately is not possible, consider implementing a Content-Security-Policy (CSP) header to restrict script execution as a temporary mitigation.'}] [1]