CVE-2026-28429
Path Traversal in Talishar's ParseGamestate.php Allows File Access
Publication date: 2026-03-06
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| talishar | talishar | to 2026-02-22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28429 is a critical Path Traversal vulnerability in the Talishar game, specifically in the ParseGamestate.php component. The vulnerability occurs because the gameName parameter is not properly sanitized when this script is accessed directly, allowing an attacker to include directory traversal sequences like "../".'}, {'type': 'paragraph', 'content': 'This means an attacker can manipulate the file path to access files outside the intended directory, potentially reading sensitive files on the server.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding an internal check to ensure the gameName parameter is numeric, preventing malicious input from being processed.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to read arbitrary files on the server that match the expected file structure.
- Exposure of sensitive information such as configuration files or environment variables (e.g., .env files).
- Potential leakage of confidential data stored on the server.
Because the attack requires no privileges or user interaction and can be performed remotely, it poses a high risk to the confidentiality of your system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the ParseGamestate.php script with directory traversal sequences in the gameName parameter to see if unauthorized files can be accessed.'}, {'type': 'paragraph', 'content': 'A simple command to test this is using curl to send a request with a traversal payload, for example:'}, {'type': 'list_item', 'content': 'curl -s "http://<target-ip>:<port>/ParseGamestate.php?gameName=../secreto"'}, {'type': 'paragraph', 'content': 'If the response returns contents from outside the intended directory (e.g., contents of a file like secreto/gamestate.txt), it indicates the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation is to apply the patch introduced in commit 6be3871 which adds internal validation to the ParseGamestate.php script.'}, {'type': 'paragraph', 'content': "Specifically, the patch enforces that the gameName parameter must be numeric by using PHP's is_numeric() function, and terminates execution if this check fails."}, {'type': 'paragraph', 'content': 'This prevents directory traversal sequences from being processed and stops unauthorized file access.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, restrict direct access to ParseGamestate.php or implement external input validation to block directory traversal patterns in the gameName parameter.'}] [1, 2]