Stored XSS Vulnerability in HomeBox by Sysadmins Media
CVE-2026-26272

4.6MEDIUM

Key Information:

Vendor: Sysadminsmedia
Status: Homebox
Vendor: CVE Published:; 3 March 2026

🔔 Create Sysadminsmedia Vulnerability Alert

What is CVE-2026-26272?

HomeBox, an inventory and organization application, is susceptible to a stored cross-site scripting vulnerability due to insufficient validation of uploaded files. Prior to version 0.24.0-rc.1, it allows authenticated users to upload harmful HTML or SVG files that can include executable JavaScript. These malicious attachments can be accessed through direct links, potentially resulting in the execution of embedded scripts in the context of the application's origin whenever a user interacts with these files. This critical flaw underscores the need for proper file validation measures to mitigate security risks in web applications.

Affected Version(s)

homebox < 0.24.0-rc.1

References

https://github.com/sysadminsmedia/homebox/security/adviso...

x_refsource_CONFIRM

https://github.com/sysadminsmedia/homebox/commit/51bd04e5...

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2026
Vulnerability Reserved
Feb 12, 2026

CVE-2026-26272 Data

JSON