{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-10T18:33:12.249","vulnerabilities":[{"cve":{"id":"CVE-2026-26272","sourceIdentifier":"security-advisories@github.com","published":"2026-03-03T23:15:55.050","lastModified":"2026-03-05T21:20:08.713","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1."},{"lang":"es","value":"HomeBox es un sistema de inventario y organización del hogar. Antes de la versión 0.24.0-rc.1, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en la funcionalidad de carga de archivos adjuntos de elementos. La aplicación no valida ni restringe adecuadamente los tipos de archivos cargados, permitiendo a un usuario autenticado cargar archivos HTML o SVG maliciosos que contienen JavaScript ejecutable (también, potencialmente otros formatos que renderizan scripts). Los archivos adjuntos cargados son accesibles a través de enlaces directos. Cuando un usuario accede a dicho archivo en su navegador, el JavaScript incrustado se ejecuta en el contexto del origen de la aplicación. Esta vulnerabilidad está corregida en la versión 0.24.0-rc.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*","versionEndIncluding":"0.23.1","matchCriteriaId":"16FA5C78-4497-4434-802B-AAA83C1BF0A8"}]}]}],"references":[{"url":"https://github.com/sysadminsmedia/homebox/commit/51bd04e5f4656b306a296745ddd854d45aa3b892","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-55fv-9q6q-vpcr","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}