NIXPKGS-2026-0512

GitHub issue published on

Permalink CVE-2026-27600

5.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

HomeBox affected by Blind SSRF

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.

References

https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm x_refsource_CONFIRM

Affected products

homebox

==< 0.24.0-rc.1

Matching in nixpkgs

pkgs.homebox

Inventory and organization system built for the Home User

nixos-unstable 0.23.1
- nixpkgs-unstable 0.23.1
- nixos-unstable-small 0.23.1
nixos-25.11 0.21.0
- nixos-25.11-small 0.21.0
- nixpkgs-25.11-darwin 0.21.0

Package maintainers

@PatrickDaG Patrick <patrick-nixos@failmail.dev>

Upstream advisory: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0512

References

Affected products

Matching in nixpkgs

pkgs.homebox

Package maintainers