CVE-2026-30841 is a reflected Cross-site Scripting (XSS) vulnerability identified in the Wallos application, an open-source, self-hostable personal subscription tracker. The vulnerability exists in versions prior to 4.6.2 within the passwordreset.php script, where the application outputs the values of the GET parameters 'token' and 'email' directly into HTML input value attributes using PHP short tags (<?= $token ?> and <?= $email ?>) without applying htmlspecialchars() or equivalent output encoding. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL containing specially crafted 'token' or 'email' parameters that break out of the attribute context and inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious script executes in the victim's browser when they visit the crafted URL, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability requires no authentication or user interaction beyond visiting the malicious link. The issue has been addressed in Wallos version 4.6.2 by properly encoding these parameters before output. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, no impact on confidentiality or availability, and low impact on integrity (limited to victim browser context). No known exploits in the wild have been reported as of the publication date.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with the affected Wallos application. An attacker can execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting users to malicious sites. While the vulnerability does not directly compromise the server or backend data, it undermines user trust and can lead to account compromise or data leakage. Organizations hosting Wallos instances, especially those accessible over the internet, face risks of targeted phishing or social engineering attacks leveraging this XSS flaw. Since Wallos is a personal subscription tracker, the exposure of user data or session tokens could lead to privacy violations. The lack of required authentication or user interaction for exploitation increases the risk, as attackers can send malicious links to victims without needing access credentials. However, the scope is limited to users who visit the malicious URL, and the vulnerability does not affect server availability or integrity beyond the client-side impact.

The most effective mitigation is to upgrade Wallos to version 4.6.2 or later, where the vulnerability has been patched by applying proper output encoding (htmlspecialchars) to user-supplied inputs. For organizations unable to upgrade immediately, implementing a Web Application Firewall (WAF) with rules to detect and block malicious payloads in the 'token' and 'email' GET parameters can reduce risk. Additionally, administrators should review and sanitize all user inputs and outputs in custom modifications or integrations of Wallos. Employing Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution sources. Educating users to avoid clicking suspicious links and monitoring logs for unusual URL patterns targeting passwordreset.php can help detect exploitation attempts. Regular security audits and code reviews focusing on input validation and output encoding are recommended to prevent similar issues.