What is the CVSS score of CVE-2026-33417?

CVE-2026-33417 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Wallos are affected by CVE-2026-33417?

Organizations using Wallos should be aware of notable risk from CVE-2026-33417 rated CVSS 6.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Wallos CVE-2026-33417

EUVD-2026-14967 MEDIUM

Insufficient Session Expiration (CWE-613)

2026-03-24 GitHub_M

Information Disclosure Wallos

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.7.2

EUVD ID Assigned

Mar 24, 2026 - 18:31 euvd

EUVD-2026-14967

Analysis Generated

Mar 24, 2026 - 18:31 vuln.today

CVE Published

Mar 24, 2026 - 18:01 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.

AnalysisAI

Wallos, an open-source self-hostable subscription tracker, contains an authentication bypass vulnerability in its password reset mechanism where reset tokens never expire. Versions prior to 4.7.2 are affected, allowing attackers who intercept a password reset link to use it indefinitely days, weeks, or months after generation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N indicates network-based attack vector with high attack complexity, requiring no privileges or user interaction, resulting in high confidentiality impact but low integrity and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker intercepts a Wallos user's password reset email containing a reset token link, either via network sniffing on an unencrypted connection, compromise of an email provider account, or social engineering. The attacker stores this token and waits weeks or months before attempting to use it, long after the user has forgotten about the reset request and may have relaxed security awareness. …
Remediation	Upgrade Wallos to version 4.7.2 or later immediately to apply the patch that implements token expiration validation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33417 vulnerability details – vuln.today

Back

Wallos CVE-2026-33417

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code