CVE-2026-27600

EPSS 0.03%
Veröffentlicht 03.03.2026 22:23:04
Zuletzt bearbeitet 05.03.2026 21:15:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sysadminsmedia ≫ Homebox Version <= 0.23.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.101

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27600

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27600

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27600

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27600