{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-10T22:21:19.288","vulnerabilities":[{"cve":{"id":"CVE-2026-30842","sourceIdentifier":"security-advisories@github.com","published":"2026-03-07T06:16:11.763","lastModified":"2026-03-11T18:06:58.190","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2."},{"lang":"es","value":"Wallos es un rastreador de suscripciones personal de código abierto y autoalojable. Antes de la versión 4.6.2, Wallos permite a un usuario autenticado eliminar archivos de avatar subidos por otros usuarios. El endpoint de eliminación de avatares no verifica que el avatar solicitado pertenezca al usuario actual. Como resultado, cualquier usuario autenticado que conozca o pueda descubrir el nombre de archivo del avatar subido de otro usuario puede eliminar ese archivo. Este problema ha sido parcheado en la versión 4.6.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*","versionEndExcluding":"4.6.2","matchCriteriaId":"0369A77F-C023-4EE5-873B-7466F873A8A9"}]}]}],"references":[{"url":"https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/ellite/Wallos/releases/tag/v4.6.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}