Plattform
php
Komponente
talishar
Behoben in
6.0.1
CVE-2026-28429 describes a Path Traversal vulnerability discovered in Talishar, a fan-made Flesh and Blood project. This flaw allows an attacker to potentially access unauthorized files by manipulating the gameName parameter. The vulnerability affects versions of Talishar prior to commit 6be3871 and has been addressed in the patched version.
The primary impact of this Path Traversal vulnerability lies in the potential for unauthorized file access. Because ParseGamestate.php can be accessed directly as a standalone script, bypassing typical application input validation, an attacker can craft malicious requests containing directory traversal sequences (e.g., ../../). Successful exploitation could allow an attacker to read sensitive configuration files, source code, or other data stored on the server. The blast radius is limited to the server hosting the Talishar application, but the potential for data exposure remains significant. While no direct precedent exists for this specific vulnerability, path traversal flaws are commonly exploited to gain unauthorized access to systems.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept exploits are currently known. The vulnerability is not listed on the CISA KEV catalog. Given the relatively limited scope of Talishar and the lack of public exploits, the probability of exploitation is considered low.
This vulnerability primarily affects users who are running vulnerable versions of Talishar, particularly those who have exposed the ParseGamestate.php script directly to the internet. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromise of one user's account could potentially lead to access to other users' data.
• php: Examine web server access logs for requests containing directory traversal sequences (e.g., ../).
• php: Search for the ParseGamestate.php file in the webroot and verify that it is not directly accessible.
• generic web: Use curl to test for directory traversal:
curl 'http://your-talishar-server/ParseGamestate.php?gameName=../../../../etc/passwd'• generic web: Monitor file integrity for critical system files to detect unauthorized modifications.
disclosure
Exploit-Status
EPSS
0.47% (64% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28429 is to upgrade to the patched version of Talishar, commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. If an immediate upgrade is not feasible, consider restricting direct access to the ParseGamestate.php script. This can be achieved by implementing stricter access controls or relocating the script to a directory not directly accessible via the web. Additionally, review and strengthen input validation routines within the application to prevent similar vulnerabilities from arising in the future. After upgrade, confirm the vulnerability is resolved by attempting a directory traversal request and verifying that access is denied.
Actualice Talishar a la versión con el commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 o posterior. Esto corrige la vulnerabilidad de Path Traversal en el parámetro gameName.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28429 is a Path Traversal vulnerability in Talishar, allowing attackers to potentially access unauthorized files by manipulating the gameName parameter in ParseGamestate.php.
You are affected if you are using a version of Talishar prior to 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 and the ParseGamestate.php script is directly accessible.
Upgrade Talishar to version 6be3871 or later. Alternatively, restrict direct access to ParseGamestate.php and implement WAF rules to block directory traversal attempts.
No active exploitation has been confirmed at this time, but vigilance is still advised.
Refer to the project's repository or communication channels for the official advisory regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.