Vulnerability Description
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sysadminsmedia | Homebox | <= 0.23.1 |
Related Weaknesses (CWE)
References
- https://github.com/sysadminsmedia/homebox/commit/51bd04e5f4656b306a296745ddd854dPatch
- https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-55fv-9q6q-vpcVendor Advisory
FAQ
What is CVE-2026-26272?
CVE-2026-26272 is a vulnerability with a CVSS score of 4.6 (MEDIUM). HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does no...
How severe is CVE-2026-26272?
CVE-2026-26272 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26272?
Check the references section above for vendor advisories and patch information. Affected products include: Sysadminsmedia Homebox.