Wallos CVE-2025-60535
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CSRF inherently needs a logged-in victim to load the request, so UI:R; only currency config integrity is affected (I:L), with no confidentiality or availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.
AnalysisAI
Cross-Site Request Forgery in Wallos v4.1.1 lets remote attackers trick an authenticated user's browser into submitting a crafted GET request to the /endpoints/currency/currency component, performing unwanted currency operations without the victim's consent. The flaw stems from missing anti-CSRF token validation on state-changing requests. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), indicating little observed exploitation interest.
Technical ContextAI
Wallos is an open-source, self-hosted subscription and finance tracking web application (PHP-based, GitHub: ellite/Wallos). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery), a root cause in which the server accepts state-changing requests without verifying an unpredictable, per-session anti-CSRF token or validating the request origin. Because the affected /endpoints/currency/currency action accepts a GET request, any state change it performs can be triggered simply by causing a logged-in victim's browser to load an attacker-controlled URL (e.g., an image tag or link). No CPE strings were supplied by NVD, so exact affected configurations beyond the vendor-stated v4.1.1 cannot be enumerated from the data.
Affected ProductsAI
Wallos version 4.1.1 (open-source self-hosted subscription tracker, upstream at https://github.com/ellite/Wallos/) is the only version explicitly named in the CVE. No CPE strings were provided by NVD, so the precise range of affected or earlier versions cannot be confirmed from the available data; treat v4.1.1 as confirmed vulnerable and earlier releases as likely also affected pending vendor confirmation. Additional third-party analysis is referenced at https://github.com/vityuasd/VulList/blob/main/CVE-2025-60535.md.
RemediationAI
No vendor-released patch or fixed version is identified at time of analysis; the NVD references point only to the project's GitHub repository (https://github.com/ellite/Wallos/) and a third-party write-up (https://github.com/vityuasd/VulList/blob/main/CVE-2025-60535.md), not a tagged patched release. Monitor the Wallos GitHub repository for a fix and upgrade as soon as one is published. In the interim, apply specific compensating controls: place Wallos behind a reverse proxy or WAF that enforces SameSite=Strict (or Lax) session cookies and rejects cross-origin state-changing requests to /endpoints/currency/currency; restrict access to the application to a trusted VPN or internal network to reduce the chance a logged-in user is exposed to attacker-controlled pages; and require re-authentication for sensitive settings changes. The trade-off of SameSite=Strict is that it can break legitimate cross-site navigation flows, and network restriction reduces convenience of remote access - both acceptable given the low impact of this endpoint.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today