CVE-2026-28679 - Vulnerability Details

- HomeGallery: Path Traversal (Arbitrary File Read)

Description

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system files being downloadable as well. This issue has been patched in version 1.21.0.

Published: 2026-03-06

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in HomeGallery allows an attacker to request a file download outside the intended media directory because the application does not verify the file’s location. This path traversal flaw enables arbitrary file reads, exposing sensitive system files such as configuration data and operating system files, thereby compromising confidentiality. The flaw exists in the download request handling and can potentially allow anyone with access to the download endpoint to retrieve arbitrary files.

Affected Systems

The issue affects the HomeGallery application from xemle, specifically all releases before 1.21.0. Users running any version earlier than 1.21.0 are susceptible.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability is considered high severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation, and the vulnerability has not been listed in the CISA KEV catalog. The attack vector appears to be remote, via the publicly accessible download endpoint, and requires no special privileges or authentication. While the potential impact is significant, the low probability of exploitation mitigates overall risk, though the flaw remains exploitable if access to the download endpoint is possible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xemle

home-gallery

affected

Version	Status	Constraints
`< 1.21.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:home-gallery:homegallery:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Xemle

Home-gallery

100%

Version	Status	Scheme	Platform
`[0,1.21.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade HomeGallery to version 1.21.0 or later to apply the fix that validates download paths.
If upgrading is not immediately possible, restrict the download endpoint to authenticated users and configure the web server to deny access to files outside the media directory.
Review and harden file serving logic to ensure it only resolves paths within the configured media source, and monitor logs for any anomalous download attempts.

Generated by OpenCVE AI on April 16, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xemle/home-gallery/releases/tag/v1.21.0
https://github.com/xemle/home-gallery/security/advisories/GHSA-xj65-hcj5-h6j3

History

Tue, 10 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Home-gallery Home-gallery homegallery
CPEs		cpe:2.3:a:home-gallery:homegallery::::::::
Vendors & Products		Home-gallery Home-gallery homegallery

Fri, 06 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xemle Xemle home-gallery
Vendors & Products		Xemle Xemle home-gallery

Fri, 06 Mar 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system files being downloadable as well. This issue has been patched in version 1.21.0.
Title		HomeGallery: Path Traversal (Arbitrary File Read)
Weaknesses		CWE-22
References		https://github.com/xemle/home-gallery/releases/tag/v1.21.0 https://github.com/xemle/home-gallery/security/advisories/GHSA-xj65-hcj5-h6j3
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Home-gallery Homegallery

Xemle Home-gallery

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T04:32:09.630Z

Updated: 2026-03-06T16:07:11.502Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28679

Vulnrichment

Updated: 2026-03-06T16:00:11.414Z

NVD

Status : Analyzed

Published: 2026-03-06T05:16:36.977

Modified: 2026-03-10T19:54:04.837

Link: CVE-2026-28679

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object