CVE-2026-26272

MEDIUM 4.6

HomeBox affected by Stored XSS via HTML/SVG Attachment Upload

CVSS Score

4.6

EPSS Score

0.0%

EPSS Percentile

0th

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.

CWE	CWE-79
Vendor	sysadminsmedia
Product	homebox
Published	Mar 3, 2026
Last Updated	Mar 4, 2026

Stay Ahead of the Next One

Get instant alerts for sysadminsmedia homebox

Be the first to know when new medium vulnerabilities affecting sysadminsmedia homebox are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

sysadminsmedia / homebox

< 0.24.0-rc.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-55fv-9q6q-vpcr github.com: https://github.com/sysadminsmedia/homebox/commit/51bd04e5f4656b306a296745ddd854d45aa3b892