Plattform
other
Komponente
home-gallery
Behoben in
1.21.1
CVE-2026-28679 describes a Path Traversal vulnerability discovered in HomeGallery, a self-hosted web gallery application. This flaw allows unauthorized users to potentially download sensitive system files by manipulating file paths during download requests. Versions of HomeGallery prior to 1.21.0 are affected, and a patch has been released to address the issue.
The primary impact of this vulnerability is the potential for attackers to gain access to sensitive system files. By crafting malicious download requests, an attacker can bypass intended file access controls and retrieve files outside of the intended media directory. This could include configuration files, source code, or other sensitive data that could be exploited for further attacks or data exfiltration. The blast radius extends to any system running a vulnerable version of HomeGallery, potentially exposing the entire server's contents.
This vulnerability was publicly disclosed on 2026-03-06. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively low due to the need for specific request manipulation, but the potential impact is high if successful.
Organizations and individuals using self-hosted instances of HomeGallery, particularly those with legacy configurations or inadequate file permission settings, are at risk. Shared hosting environments where multiple users share the same server are also potentially vulnerable if HomeGallery is installed.
disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade HomeGallery to version 1.21.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out suspicious file path requests. Restrict file access permissions within the HomeGallery directory to minimize the potential damage if the vulnerability is exploited. Monitor access logs for unusual file download patterns. After upgrade, confirm the fix by attempting a download request with a path traversal payload (e.g., ../../../../etc/passwd) and verifying that access is denied.
Actualice HomeGallery a la versión 1.21.0 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la lectura de archivos arbitrarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28679 is a Path Traversal vulnerability affecting HomeGallery versions prior to 1.21.0, allowing attackers to potentially download sensitive system files.
You are affected if you are using HomeGallery version 1.21.0 or earlier. Upgrade to 1.21.0 to resolve the vulnerability.
Upgrade HomeGallery to version 1.21.0. As a temporary workaround, implement a WAF rule to block suspicious path traversal patterns.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the HomeGallery project's official website and security advisories for the latest information: https://home-gallery.org/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.