{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33417", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.172Z", "datePublished": "2026-03-24T18:01:07.765Z", "dateUpdated": "2026-03-24T18:37:53.873Z"}, "containers": {"cna": {"title": "Wallos: Password Reset Tokens Never Expire", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf"}, {"name": "https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb"}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"version": "< 4.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:01:07.765Z"}, "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2."}], "source": {"advisory": "GHSA-p3fv-m43r-3fhf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:37:47.744820Z", "id": "CVE-2026-33417", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:37:53.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33417", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:37:47.744820Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:37:50.838Z"}}], "cna": {"title": "Wallos: Password Reset Tokens Never Expire", "source": {"advisory": "GHSA-p3fv-m43r-3fhf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ellite", "product": "Wallos", "versions": [{"status": "affected", "version": "< 4.7.2"}]}], "references": [{"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf", "name": "https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb", "name": "https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:01:07.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33417", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:37:53.873Z", "dateReserved": "2026-03-19T17:02:34.172Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:01:07.765Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D7E175D-54D9-47F3-8124-8E017924D210", "versionEndExcluding": "4.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de c\u00f3digo abierto y autoalojable. Antes de la versi\u00f3n 4.7.2, los tokens de restablecimiento de contrase\u00f1a en Wallos nunca caducaban. La tabla password_resets incluye una columna de marca de tiempo created_at, pero la l\u00f3gica de validaci\u00f3n del token nunca la verifica. Un token de restablecimiento de contrase\u00f1a permanece v\u00e1lido indefinidamente hasta que se utiliza, permitiendo a un atacante que intercepta un enlace de restablecimiento en cualquier momento usarlo d\u00edas, semanas o meses despu\u00e9s. Este problema ha sido parcheado en la versi\u00f3n 4.7.2."}], "id": "CVE-2026-33417", "lastModified": "2026-03-26T20:59:31.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T19:16:53.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Wallos", "source": "cna", "vendor": "ellite"}, "product": "wallos", "vendor": "ellite"}], "analysis": {"en": {"generated_at": "2026-03-24T19:50:38.068935+00:00", "value": {"mitigation_remediation": ["Upgrade Wallos to version\u202f4.7.2 or newer to apply the official fix."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access via indefinite password reset token"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source Wallos application developed by ellite. All releases prior to version\u202f4.7.2 are susceptible. Users who have not upgraded to 4.7.2 or newer remain vulnerable.", "description_and_impact": "Password reset tokens in Wallos do not expire because the validation logic ignores the created_at timestamp, even though the database stores it. An attacker who obtains a reset link can use that token at any time after it is issued, granting persistent access to the victim\u2019s account. This flaw allows unauthorized disclosure of account information and is classified as CWE\u2011613.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates medium severity, reflecting the potential for unauthorized account access. EPSS data is not provided, and the vulnerability is not included in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker must obtain a valid reset link\u2014potentially through interception or phishing\u2014to exploit the flaw. Once the token is in the attacker\u2019s possession, it can be used at any future time, compromising confidentiality and possibly escalating privileges depending on the account level."}}}}, "created": "2026-03-25T11:46:49.553723+00:00", "updated": "2026-03-25T20:49:34.611616+00:00", "vendors": ["ellite", "ellite$PRODUCT$wallos"]}