Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Malicious users can delete other users' uploaded photos in Wallos
CVE-2026-30842
Summary
An attacker with a Wallos account can delete photos uploaded by other users. This is a security risk because sensitive information may be stored in these photos. Update to version 4.6.2 or later to address this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wallosapp | wallos | <= 4.6.2 | – |
Original title
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletio...
Original description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026