Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
HomeBox Sends Data to Unverified Websites
CVE-2026-27600
Summary
HomeBox, a home inventory and organization system, sends data to any website specified by users, potentially allowing attackers to discover internal services. This means that an attacker could potentially find out what other services are running on your network. HomeBox version 0.24.0-rc.1 and earlier are affected. Update to version 0.24.0-rc.1 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sysadminsmedia | homebox | <= 0.23.1 | – |
Original title
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST r...
Original description
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.
nvd CVSS3.1
4.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026