CVE-2026-26272
Received Received - Intake
Stored XSS via Unrestricted File Upload in HomeBox Attachments

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26272
EUVD
EUVD-2026-9333
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sysadminsmedia homebox to 0.23.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade the HomeBox application to version 0.24.0-rc.1 or later, where the issue is fixed.

Additionally, restrict or validate uploaded file types to prevent uploading of malicious HTML, SVG, or other script-containing files.

Ensure that only authenticated and trusted users have permission to upload attachments.

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in the HomeBox application prior to version 0.24.0-rc.1. It occurs in the item attachment upload functionality where the application does not properly validate or restrict the types of files that authenticated users can upload. Malicious users can upload HTML or SVG files containing executable JavaScript, or potentially other file formats that can render scripts. When other users access these uploaded files via direct links, the embedded JavaScript executes within the context of the application's origin, potentially compromising security.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the HomeBox application for users who access the malicious attachments. This can lead to unauthorized actions such as stealing user session information, performing actions on behalf of the user, or delivering further malicious payloads. Since the vulnerability requires an authenticated user to upload the malicious file and another user to access it, the impact includes potential compromise of user data confidentiality and integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart