CVE-2026-27600 MEDIUM

CVE-2026-27600: HomeBox affected by Blind SSRF

Vendor Sysadminsmedia
Product homebox
Weakness CWE-918 · SSRF
Published March 3, 2026
Last update March 4, 2026
View on NVD All CVEs

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.

Key dates

02Disclosure timeline

March 3, 2026 CVE published
March 4, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24371 RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF CVE-2025-12388 B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery CVE-2026-44971 GuardDog: Blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration CVE-2026-46497 SSRF via sitemap-derived URLs in Crawlee for Python CVE-2026-44439 LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture