Description
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
Published: 2026-03-03
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

HomeBox, a home inventory and organization system, contains a stored XSS flaw in its item attachment upload functionality. The application fails to enforce file type validation, which allows an authenticated user to upload malicious HTML or SVG files embedding executable JavaScript. When a victim user opens such an attachment through a direct link, the script runs in the context of the application’s origin, allowing the attacker to steal session data, modify page content, or execute further client‑side attacks.

Affected Systems

Sysadminsmedia’s HomeBox software, versions earlier than 0.24.0‑rc.1, is affected by this issue. The vulnerability applies to all installations of these versions regardless of operating system, as the flaw is in the web application code.

Risk and Exploitability

The CVSS base score of 4.6 indicates moderate severity, and the EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user to upload the malicious file, but any user who opens the resulting attachment is exposed to the embedded script, enabling widespread impact across the user base.

Generated by OpenCVE AI on April 17, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HomeBox to version 0.24.0‑rc.1 or later to eliminate the vulnerability.
  • If an upgrade is not immediately possible, configure the application to allow only safe file types and enforce strict MIME‑type checks on uploaded attachments.
  • As a temporary measure, consider disabling the attachment upload feature or blocking HTML and SVG files from being uploaded until a patch can be applied.

Generated by OpenCVE AI on April 17, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sysadminsmedia
Sysadminsmedia homebox
Vendors & Products Sysadminsmedia
Sysadminsmedia homebox

Tue, 03 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
Title HomeBox affected by Stored XSS via HTML/SVG Attachment Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Sysadminsmedia Homebox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:45:08.580Z

Reserved: 2026-02-12T17:10:53.413Z

Link: CVE-2026-26272

cve-icon Vulnrichment

Updated: 2026-03-04T16:45:04.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:55.050

Modified: 2026-03-05T21:20:08.713

Link: CVE-2026-26272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses