CVE-2026-30841 is a reflected cross-site scripting (XSS) vulnerability identified in the open-source Wallos subscription tracking application, specifically in versions prior to 4.6.2. The vulnerability exists in the passwordreset.php script, where the GET parameters 'token' and 'email' are embedded directly into HTML input value attributes using PHP short tags (<?= $token ?> and <?= $email ?>) without applying htmlspecialchars() or equivalent output encoding. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL containing specially crafted 'token' or 'email' parameters that break out of the attribute context and inject arbitrary JavaScript code. When a victim accesses this URL, the injected script executes in their browser under the domain of the vulnerable Wallos instance, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability requires no authentication and no user interaction beyond visiting a crafted URL, increasing its exploitability. The issue was publicly disclosed on March 7, 2026, and patched in Wallos version 4.6.2 by adding proper output encoding to neutralize the input before rendering it in HTML. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) reflects a network attack vector with low attack complexity, no privileges or user interaction required, and limited impact on confidentiality due to the reflected nature of the XSS. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of users visiting a vulnerable Wallos instance, leading to theft of sensitive information such as session cookies, credentials, or personal data. This can facilitate account takeover, unauthorized actions on behalf of the user, or distribution of malware. Since Wallos is a self-hosted personal subscription tracker, the scale of impact depends on the number of users and the sensitivity of tracked subscription data. Organizations or individuals hosting vulnerable versions may face privacy breaches and reputational damage. The lack of authentication or user interaction requirements makes exploitation straightforward, increasing risk. However, the reflected nature limits persistent impact to users who visit maliciously crafted URLs. No direct impact on system availability or integrity is indicated. Overall, the vulnerability poses a moderate risk, especially for environments where Wallos is publicly accessible and used by multiple users.

The most effective mitigation is to upgrade Wallos installations to version 4.6.2 or later, where the vulnerability has been patched by applying proper output encoding using htmlspecialchars() on user-supplied inputs before rendering them in HTML. For environments where immediate upgrade is not feasible, administrators should implement web application firewall (WAF) rules to detect and block requests containing suspicious script payloads in the 'token' and 'email' parameters. Additionally, configuring Content Security Policy (CSP) headers to restrict inline script execution and untrusted domains can reduce the impact of XSS attacks. Regularly auditing and sanitizing all user inputs and outputs in custom modifications of Wallos is recommended. Educating users to avoid clicking on untrusted links and monitoring logs for anomalous requests targeting passwordreset.php can help detect exploitation attempts. Finally, ensure that session cookies are set with HttpOnly and Secure flags to mitigate cookie theft via XSS.