wallabag CVE Vulnerabilities & Metrics

Focus on wallabag vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About wallabag Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with wallabag. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total wallabag CVEs: 10
Earliest CVE date: 21 Sep 2018, 16:29 UTC
Latest CVE date: 15 Nov 2024, 11:15 UTC

Latest CVE reference: CVE-2023-0737

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -66.67%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -66.67%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical wallabag CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.48

Max CVSS: 2.7

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	10
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS wallabag CVEs

These are the five CVEs with the highest CVSS scores for wallabag, sorted by severity first and recency.

CVE-2023-3566 wallabag Published on 10 Jul 2023, 16:15 UTC (CVSS: 2.7)
A vulnerability was found in wallabag 2.5.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /config of the component Profile Config. The manipulation of the argument Name leads to allocation of resources. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-233359. NOTE: ...
CVE-2018-11352 wallabag Published on 21 Sep 2018, 16:29 UTC (CVSS: 2.1)
The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions.
CVE-2023-0737 wallabag Published on 15 Nov 2024, 11:15 UTC (CVSS: 0)
wallabag version 2.5.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to arbitrarily delete user accounts via the /account/delete endpoint. This issue is fixed in version 2.5.4.
CVE-2023-4455 wallabag Published on 21 Aug 2023, 10:15 UTC (CVSS: 0)
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.
CVE-2023-4454 wallabag Published on 21 Aug 2023, 10:15 UTC (CVSS: 0)
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

All CVEs for wallabag

CVE-2023-0737 wallabag vulnerability CVSS: 0 15 Nov 2024, 11:15 UTC

wallabag version 2.5.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to arbitrarily delete user accounts via the /account/delete endpoint. This issue is fixed in version 2.5.4.

CVE-2023-4455 wallabag vulnerability CVSS: 0 21 Aug 2023, 10:15 UTC

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

CVE-2023-4454 wallabag vulnerability CVSS: 0 21 Aug 2023, 10:15 UTC

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

CVE-2023-3566 wallabag vulnerability CVSS: 2.7 10 Jul 2023, 16:15 UTC

A vulnerability was found in wallabag 2.5.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /config of the component Profile Config. The manipulation of the argument Name leads to allocation of resources. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-233359. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-0734 wallabag vulnerability CVSS: 0 05 Mar 2023, 21:15 UTC

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

CVE-2023-0736 wallabag vulnerability CVSS: 0 07 Feb 2023, 23:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository wallabag/wallabag prior to 2.5.4.

CVE-2023-0735 wallabag vulnerability CVSS: 0 07 Feb 2023, 23:15 UTC

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.

CVE-2023-0610 wallabag vulnerability CVSS: 0 01 Feb 2023, 12:15 UTC

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

CVE-2023-0609 wallabag vulnerability CVSS: 0 01 Feb 2023, 12:15 UTC

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

CVE-2018-11352 wallabag vulnerability CVSS: 2.1 21 Sep 2018, 16:29 UTC

The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions.