Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities by sysadminsmedia
CVE-2026-40196 (GCVE-0-2026-40196)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:01 – Updated: 2026-04-17 21:01
VLAI?
Title
HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
Summary
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
Severity ?
8.1 (High)
CWE
- CWE-708 - Incorrect Ownership Assignment
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sysadminsmedia | homebox |
Affected:
< 0.25.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "homebox",
"vendor": "sysadminsmedia",
"versions": [
{
"status": "affected",
"version": "\u003c 0.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group\u0027s contents, the API did not. Because the original group ID persisted as the user\u0027s defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group\u0027s collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-708",
"description": "CWE-708: Incorrect Ownership Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:01:18.530Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9"
},
{
"name": "https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0"
}
],
"source": {
"advisory": "GHSA-6pvm-v73p-p6m9",
"discovery": "UNKNOWN"
},
"title": "HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40196",
"datePublished": "2026-04-17T21:01:18.530Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-17T21:01:18.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27981 (GCVE-0-2026-27981)
Vulnerability from cvelistv5 – Published: 2026-03-03 22:27 – Updated: 2026-03-04 16:28
VLAI?
Title
HomeBox has an Auth Rate Limit Bypass via IP Spoofing
Summary
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
Severity ?
7.4 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sysadminsmedia | homebox |
Affected:
< 0.24.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:27:35.371817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:28:12.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "homebox",
"vendor": "sysadminsmedia",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi\u0027s middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:27:37.921Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3"
}
],
"source": {
"advisory": "GHSA-j86g-v96v-jpp3",
"discovery": "UNKNOWN"
},
"title": "HomeBox has an Auth Rate Limit Bypass via IP Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27981",
"datePublished": "2026-03-03T22:27:37.921Z",
"dateReserved": "2026-02-25T03:24:57.794Z",
"dateUpdated": "2026-03-04T16:28:12.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27600 (GCVE-0-2026-27600)
Vulnerability from cvelistv5 – Published: 2026-03-03 22:23 – Updated: 2026-03-04 16:28
VLAI?
Title
HomeBox affected by Blind SSRF
Summary
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sysadminsmedia | homebox |
Affected:
< 0.24.0-rc.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:28:32.409830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:28:41.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "homebox",
"vendor": "sysadminsmedia",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.0-rc.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:23:04.268Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm"
}
],
"source": {
"advisory": "GHSA-cm7p-5mg5-82pm",
"discovery": "UNKNOWN"
},
"title": "HomeBox affected by Blind SSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27600",
"datePublished": "2026-03-03T22:23:04.268Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-03-04T16:28:41.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26272 (GCVE-0-2026-26272)
Vulnerability from cvelistv5 – Published: 2026-03-03 22:20 – Updated: 2026-03-04 16:45
VLAI?
Title
HomeBox affected by Stored XSS via HTML/SVG Attachment Upload
Summary
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sysadminsmedia | homebox |
Affected:
< 0.24.0-rc.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:44:58.799912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:45:08.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "homebox",
"vendor": "sysadminsmedia",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.0-rc.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application\u0027s origin. This vulnerability is fixed in 0.24.0-rc.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:20:32.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-55fv-9q6q-vpcr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-55fv-9q6q-vpcr"
},
{
"name": "https://github.com/sysadminsmedia/homebox/commit/51bd04e5f4656b306a296745ddd854d45aa3b892",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sysadminsmedia/homebox/commit/51bd04e5f4656b306a296745ddd854d45aa3b892"
}
],
"source": {
"advisory": "GHSA-55fv-9q6q-vpcr",
"discovery": "UNKNOWN"
},
"title": "HomeBox affected by Stored XSS via HTML/SVG Attachment Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26272",
"datePublished": "2026-03-03T22:20:32.987Z",
"dateReserved": "2026-02-12T17:10:53.413Z",
"dateUpdated": "2026-03-04T16:45:08.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53108 (GCVE-0-2025-53108)
Vulnerability from cvelistv5 – Published: 2025-07-02 14:45 – Updated: 2025-07-02 16:09
VLAI?
Title
HomeBox Missing User Authorization
Summary
HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item attachments that they do not own. This issue could lead to unauthorized data manipulation or loss of critical inventory data. This issue has been patched in version 0.20.1. There are no workarounds, users must upgrade.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sysadminsmedia | homebox |
Affected:
< 0.20.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T16:06:58.405250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T16:09:50.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "homebox",
"vendor": "sysadminsmedia",
"versions": [
{
"status": "affected",
"version": "\u003c 0.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item attachments that they do not own. This issue could lead to unauthorized data manipulation or loss of critical inventory data. This issue has been patched in version 0.20.1. There are no workarounds, users must upgrade."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T14:45:27.651Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-m6vx-pg9q-vq6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-m6vx-pg9q-vq6m"
},
{
"name": "https://github.com/sysadminsmedia/homebox/commit/e159dd8a0b5d01d7225795bfba5634781181df20",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sysadminsmedia/homebox/commit/e159dd8a0b5d01d7225795bfba5634781181df20"
}
],
"source": {
"advisory": "GHSA-m6vx-pg9q-vq6m",
"discovery": "UNKNOWN"
},
"title": "HomeBox Missing User Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53108",
"datePublished": "2025-07-02T14:45:27.651Z",
"dateReserved": "2025-06-25T13:41:23.087Z",
"dateUpdated": "2025-07-02T16:09:50.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}