Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
HomeBox Allows Malicious Attachments to Execute Code
CVE-2026-26272
Summary
A security flaw in HomeBox's attachment upload feature allows attackers to upload malicious files that can execute code in your browser when opened. This can lead to unauthorized actions or data theft. Update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sysadminsmedia | homebox | <= 0.23.1 | – |
Original title
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does...
Original description
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026