1. Home
  2. CVE Database
  3. CVE-2026-27600
MEDIUM · 5.0

CVE-2026-27600

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requ...

Vulnerability Description

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
SysadminsmediaHomebox<= 0.23.1

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2026-27600?

CVE-2026-27600 is a vulnerability with a CVSS score of 5.0 (MEDIUM). HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requ...

How severe is CVE-2026-27600?

CVE-2026-27600 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27600?

Check the references section above for vendor advisories and patch information. Affected products include: Sysadminsmedia Homebox.