CVE-2026-33400 in Wallos
Summary
by MITRE • 03/24/2026
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-33400 affects Wallos, an open-source personal subscription tracking application designed for self-hosted environments. This application enables users to manage their subscription expenses and track recurring payments through a web interface. The security flaw manifests in the application's handling of payment method renaming functionality, specifically within the endpoint responsible for modifying payment method names. Prior to version 4.7.0, the application failed to properly sanitize user input when processing payment method rename requests, creating a persistent cross-site scripting vulnerability that could be exploited by authenticated users with minimal privileges.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the payment method management feature. When an authenticated user submits a request to rename a payment method, the application stores the provided name without sufficient sanitization of potentially malicious content. This stored data is then rendered on the Settings, Subscriptions, and Statistics pages without proper HTML escaping or context-appropriate encoding. The vulnerability specifically affects the payment method name field, where any JavaScript code injected by a malicious user would execute in the context of other users who visit these pages, creating a classic stored XSS scenario. The vulnerability is particularly concerning because it affects pages that are frequently visited by legitimate users, amplifying the potential impact of the exploit.
The operational impact of this vulnerability extends beyond simple script execution through the combination with a separate authentication flaw. The wallos_login cookie used for session management lacks the HttpOnly flag, which is a fundamental security measure that prevents client-side script access to cookies. This configuration allows the stored XSS payload to directly access and steal the authentication cookie, enabling full session hijacking capabilities. An attacker could execute JavaScript that reads the cookie value and exfiltrates it to a remote server, effectively taking control of any user's session. This combination creates a particularly dangerous attack vector where a low-privilege authenticated user can escalate their access to full administrative control over the application, potentially accessing all subscription data, user accounts, and system configurations. The vulnerability affects all users who have authenticated to the system, making it a critical security issue for any organization relying on the application for financial tracking.
The remediation for this vulnerability required multiple security improvements implemented in version 4.7.0. The primary fix involved implementing proper input sanitization and output encoding for all user-controllable data within the payment method rename endpoint, specifically addressing the stored XSS vulnerability through the application of context-appropriate escaping mechanisms. Additionally, the security configuration was updated to include the HttpOnly flag in the wallos_login authentication cookie, preventing client-side script access to session tokens. The patch also likely included enhanced validation of payment method names to reject potentially malicious input patterns and implemented proper content security policies to further mitigate potential attack vectors. Organizations using Wallos should immediately upgrade to version 4.7.0 or later to address this vulnerability. The fix aligns with security best practices outlined in the CWE database under CWE-79 for cross-site scripting vulnerabilities and CWE-310 for cryptographic issues related to session management. This vulnerability demonstrates the importance of implementing defense-in-depth security measures and proper input validation across all application components, particularly in applications handling sensitive financial data. The ATT&CK framework categorizes this as a credential access technique through web application vulnerabilities, specifically targeting session management and input validation weaknesses. Organizations should conduct security assessments of their self-hosted applications to identify similar vulnerabilities that could be exploited through similar attack vectors, particularly in applications where authentication cookies lack proper security flags and where user input is not adequately sanitized before being rendered in web pages.