{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-29T07:33:02.635","vulnerabilities":[{"cve":{"id":"CVE-2026-27600","sourceIdentifier":"security-advisories@github.com","published":"2026-03-03T23:15:55.400","lastModified":"2026-06-17T10:27:22.287","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1."},{"lang":"es","value":"HomeBox es un sistema de inventario y organización del hogar. Previo a la 0.24.0-rc.1, la funcionalidad del notificador permite a los usuarios autenticados especificar URLs arbitrarias a las que la aplicación envía solicitudes HTTP POST. No se aplica ninguna validación o restricción al host, dirección IP o puerto suministrados. Aunque la aplicación no devuelve el cuerpo de la respuesta del servicio de destino, su comportamiento de la UI difiere dependiendo del estado de la red del destino. Esto crea un canal lateral de comportamiento que permite la enumeración de servicios internos. Esta vulnerabilidad se corrige en la 0.24.0-rc.1."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"sysadminsmedia","product":"homebox","versions":[{"version":"< 0.24.0-rc.1","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-04T16:28:32.409830Z","id":"CVE-2026-27600","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*","versionEndIncluding":"0.23.1","matchCriteriaId":"16FA5C78-4497-4434-802B-AAA83C1BF0A8"}]}]}],"references":[{"url":"https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}