CVE-2026-28429
Received Received - Intake
Path Traversal in Talishar's ParseGamestate.php Allows File Access

Publication date: 2026-03-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28429
EUVD
EUVD-2026-9982
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
talishar talishar to 2026-02-22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28429 is a critical Path Traversal vulnerability in the Talishar game, specifically in the ParseGamestate.php component. The vulnerability occurs because the gameName parameter is not properly sanitized when this script is accessed directly, allowing an attacker to include directory traversal sequences like "../".'}, {'type': 'paragraph', 'content': 'This means an attacker can manipulate the file path to access files outside the intended directory, potentially reading sensitive files on the server.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding an internal check to ensure the gameName parameter is numeric, preventing malicious input from being processed.'}] [1, 2]

Impact Analysis

This vulnerability allows an unauthenticated attacker to read arbitrary files on the server that match the expected file structure.

  • Exposure of sensitive information such as configuration files or environment variables (e.g., .env files).
  • Potential leakage of confidential data stored on the server.

Because the attack requires no privileges or user interaction and can be performed remotely, it poses a high risk to the confidentiality of your system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the ParseGamestate.php script with directory traversal sequences in the gameName parameter to see if unauthorized files can be accessed.'}, {'type': 'paragraph', 'content': 'A simple command to test this is using curl to send a request with a traversal payload, for example:'}, {'type': 'list_item', 'content': 'curl -s "http://<target-ip>:<port>/ParseGamestate.php?gameName=../secreto"'}, {'type': 'paragraph', 'content': 'If the response returns contents from outside the intended directory (e.g., contents of a file like secreto/gamestate.txt), it indicates the vulnerability is present.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation is to apply the patch introduced in commit 6be3871 which adds internal validation to the ParseGamestate.php script.'}, {'type': 'paragraph', 'content': "Specifically, the patch enforces that the gameName parameter must be numeric by using PHP's is_numeric() function, and terminates execution if this check fails."}, {'type': 'paragraph', 'content': 'This prevents directory traversal sequences from being processed and stops unauthorized file access.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, restrict direct access to ParseGamestate.php or implement external input validation to block directory traversal patterns in the gameName parameter.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart