ByteOS Network

NVD Vulnerability Details :

CVE-2026-27600

Analyzed

Source-security-advisories@github.com

Published At-03 Mar, 2026 | 23:15

Updated At-05 Mar, 2026 | 21:15

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.0	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary	3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 5.0

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Type: Primary

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CPE Matches

sysadminsmedia>>homebox>>Versions up to 0.23.1(inclusive)

cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-918	Primary	security-advisories@github.com

CWE ID: CWE-918

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm

Source: security-advisories@github.com

Resource:

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History