Is CVE-2026-26272 actively exploited?

CVE-2026-26272 has no public evidence of in-the-wild exploitation as of 2026-03-05.

What is the CVSS score for CVE-2026-26272?

CVE-2026-26272 has a CVSS score of 4.6 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

How do I patch CVE-2026-26272?

Patch guidance is available from sysadminsmedia security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-26272.

Which products are affected by CVE-2026-26272?

1 product: sysadminsmedia homebox.

CVE-2026-26272 - remediation guidance & executive summary

Description

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector: network
Complexity: low
Privileges: low
User Action: required
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none
Weaknesses: CWE-79 · Cross-site Scripting (XSS)

Metadata

Primary Vendor: SYSADMINSMEDIA
Published: 3/3/2026
Last Modified: 3/5/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

sysadminsmedia : homebox

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-26272. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-26272

View on NIST NVD

CVE-2026-26272 vulnerability