Description
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.
Published: 2026-03-03
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Internal service enumeration via blind SSRF
Action: Immediate Patch
AI Analysis

Impact

The notifier function in HomeBox allows authenticated users to provide any URL that the application will POST to, without validating the host, IP address, or port. Although it does not return the target’s response body, the user interface behaves differently depending on whether the request succeeds or times out, creating a side‑channel that can be used to discover services and open ports on machines within the same internal network. This flaw does not grant direct code execution or data exfiltration, but it gives an attacker the ability to map the internal topology of a HomeBox deployment.

Affected Systems

HomeBox from sysadminsmedia, versions prior to 0.24.0-rc.1, are affected. The vulnerability appears only for users who have authenticated access to the application and can configure the notifier feature.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity, and the EPSS value of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog, meaning no publicly known exploits have been reported. Exploitation requires an attacker to log in to a HomeBox instance and craft specific URLs for the notifier; the effect relies on observing UI changes to infer the status of remote endpoints. While the attack surface is limited to authenticated users, the potential impact of revealing sensitive internal network structure warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HomeBox to version 0.24.0‑rc.1 or later, where the notifier input is validated and limited to approved destinations.
  • If the notifier feature is not required, disable it entirely through the application configuration to eliminate the SSRF entry point.
  • Configure network controls, such as a firewall or proxy, to restrict outbound HTTP connections from HomeBox to a vetted list of external hosts, preventing unauthorized requests.

Generated by OpenCVE AI on April 16, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sysadminsmedia
Sysadminsmedia homebox
Vendors & Products Sysadminsmedia
Sysadminsmedia homebox

Tue, 03 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.
Title HomeBox affected by Blind SSRF
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Sysadminsmedia Homebox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:28:41.237Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27600

cve-icon Vulnrichment

Updated: 2026-03-04T16:28:35.981Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:55.400

Modified: 2026-03-05T21:15:49.963

Link: CVE-2026-27600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses