Unauthorized File Deletion in Wallos Personal Subscription Tracker
CVE-2026-30842

4.3MEDIUM

Key Information:

Vendor

Ellite

Status
Wallos
Vendor
CVE Published:
7 March 2026

What is CVE-2026-30842?

Wallos is a self-hostable personal subscription tracker that, prior to version 4.6.2, permitted an authenticated user to delete avatar files uploaded by other users. The vulnerability exists due to a lack of proper verification in the avatar deletion endpoint, which fails to ensure that the avatar being deleted belongs to the current user. Consequently, any authenticated user could exploit this flaw by discovering another user’s avatar filename and deleting it. This issue has been rectified in version 4.6.2.

Affected Version(s)

Wallos < 4.6.2

References

https://github.com/ellite/Wallos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ellite/Wallos/commit/e8a513591dbbf8859...
x_refsource_MISC
https://github.com/ellite/Wallos/releases/tag/v4.6.2
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.