CVE-2026-33400 is a stored cross-site scripting vulnerability identified in Wallos, an open-source, self-hostable personal subscription tracker. The vulnerability resides in the payment method rename endpoint, where input is improperly neutralized during web page generation, classified under CWE-79. Authenticated users can inject arbitrary JavaScript code that is stored and later executed in the context of other users when they access the Settings, Subscriptions, or Statistics pages. This persistent XSS flaw allows attackers to perform actions such as session hijacking, especially since the wallos_login authentication cookie does not have the HttpOnly flag set, making it accessible to JavaScript. The vulnerability requires the attacker to have authenticated access, and victim users must visit the affected pages for the payload to execute. The flaw was addressed and patched in Wallos version 4.7.0. The CVSS v3.1 score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. No known active exploitation has been reported, but the vulnerability poses a risk in environments where Wallos is deployed and used by multiple authenticated users.

The primary impact of this vulnerability is the potential for session hijacking and unauthorized actions within the Wallos application. Attackers with authenticated access can inject malicious scripts that execute in other users' browsers, potentially stealing session cookies or performing actions on behalf of victims. This compromises user confidentiality and integrity of the application data. While availability is not affected, the breach of session security can lead to unauthorized access to sensitive subscription and payment information. Organizations using Wallos in multi-user environments are at risk of internal or external attackers exploiting this flaw to escalate privileges or impersonate users. Given Wallos is a personal subscription tracker, the impact may be more significant for users with sensitive financial data or those integrating Wallos with other services. The lack of HttpOnly flag on authentication cookies increases the risk of session theft, making mitigation urgent. However, the requirement for authentication and user interaction limits the attack scope somewhat.

To mitigate this vulnerability, organizations should immediately upgrade Wallos to version 4.7.0 or later, where the issue is patched. In addition to upgrading, administrators should ensure that the wallos_login authentication cookie is set with the HttpOnly flag to prevent JavaScript access to session tokens. Implement strict input validation and output encoding on all user-supplied data, especially in endpoints that modify payment methods or other sensitive settings. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly audit and monitor logs for suspicious activities related to payment method changes or unusual authenticated user behavior. Educate users to avoid clicking suspicious links or visiting untrusted pages within the application. If upgrading immediately is not feasible, consider restricting access to the affected endpoints to trusted users only and isolate the Wallos instance within a secure network segment. Finally, conduct penetration testing to verify the absence of XSS vulnerabilities post-patching.