{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27600", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-03-03T22:23:04.268Z", "dateUpdated": "2026-03-04T16:28:41.237Z"}, "containers": {"cna": {"title": "HomeBox affected by Blind SSRF", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm"}], "affected": [{"vendor": "sysadminsmedia", "product": "homebox", "versions": [{"version": "< 0.24.0-rc.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:23:04.268Z"}, "descriptions": [{"lang": "en", "value": "HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1."}], "source": {"advisory": "GHSA-cm7p-5mg5-82pm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:28:32.409830Z", "id": "CVE-2026-27600", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:28:41.237Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:28:32.409830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:28:35.981Z"}}], "cna": {"title": "HomeBox affected by Blind SSRF", "source": {"advisory": "GHSA-cm7p-5mg5-82pm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "sysadminsmedia", "product": "homebox", "versions": [{"status": "affected", "version": "< 0.24.0-rc.1"}]}], "references": [{"url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm", "name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:23:04.268Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27600", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:28:41.237Z", "dateReserved": "2026-02-20T19:43:14.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-03T22:23:04.268Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*", "matchCriteriaId": "16FA5C78-4497-4434-802B-AAA83C1BF0A8", "versionEndIncluding": "0.23.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1."}], "id": "CVE-2026-27600", "lastModified": "2026-03-05T21:15:49.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-03T23:15:55.400", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.24.0-rc.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "homebox", "source": "cna", "vendor": "sysadminsmedia"}, "product": "homebox", "vendor": "sysadminsmedia"}], "analysis": {"en": {"generated_at": "2026-04-16T13:52:04.018182+00:00", "value": {"mitigation_remediation": ["Upgrade HomeBox to version 0.24.0\u2011rc.1 or later, where the notifier input is validated and limited to approved destinations.", "If the notifier feature is not required, disable it entirely through the application configuration to eliminate the SSRF entry point.", "Configure network controls, such as a firewall or proxy, to restrict outbound HTTP connections from HomeBox to a vetted list of external hosts, preventing unauthorized requests."], "summary": {"action": "Immediate Patch", "impact": "Internal service enumeration via blind SSRF"}, "threat_synthesis": {"affected_systems": "HomeBox from sysadminsmedia, versions prior to 0.24.0-rc.1, are affected. The vulnerability appears only for users who have authenticated access to the application and can configure the notifier feature.", "description_and_impact": "The notifier function in HomeBox allows authenticated users to provide any URL that the application will POST to, without validating the host, IP address, or port. Although it does not return the target\u2019s response body, the user interface behaves differently depending on whether the request succeeds or times out, creating a side\u2011channel that can be used to discover services and open ports on machines within the same internal network. This flaw does not grant direct code execution or data exfiltration, but it gives an attacker the ability to map the internal topology of a HomeBox deployment.", "risk_and_exploitability": "The CVSS score of 5.0 indicates moderate severity, and the EPSS value of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog, meaning no publicly known exploits have been reported. Exploitation requires an attacker to log in to a HomeBox instance and craft specific URLs for the notifier; the effect relies on observing UI changes to infer the status of remote endpoints. While the attack surface is limited to authenticated users, the potential impact of revealing sensitive internal network structure warrants prompt remediation."}}}}, "created": "2026-03-04T14:53:35.506264+00:00", "updated": "2026-04-16T14:00:19.464559+00:00", "vendors": ["sysadminsmedia", "sysadminsmedia$PRODUCT$homebox"]}