Platform
php
Component
talishar
Fixed in
6.0.1
CVE-2026-28429 describes a Path Traversal vulnerability discovered in Talishar, a fan-made Flesh and Blood project. This vulnerability allows an attacker to potentially access unauthorized files by manipulating the gameName parameter. The issue is present in versions of Talishar prior to commit 6be3871 and has been resolved in that version.
The core of the vulnerability lies in the direct accessibility of the ParseGamestate.php component as a standalone script. While the application's main entry points include input validation, this component lacks internal sanitization. Consequently, an attacker can craft malicious requests containing directory traversal sequences, such as '../', to navigate the file system. Successful exploitation could lead to the disclosure of sensitive configuration files, source code, or other critical data stored on the server. The potential blast radius depends on the server's configuration and the data stored within accessible directories.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept exploits are currently known. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the nature of the vulnerability and the relatively low profile of the project, active exploitation is considered unlikely, but vigilance is still advised.
Exploit Status
EPSS
0.47% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28429 is to upgrade Talishar to version 6be3871 or later, which includes the necessary input validation fixes. If upgrading is not immediately feasible, restrict direct access to the ParseGamestate.php script by implementing access controls or moving it outside of the webroot. Consider implementing a Web Application Firewall (WAF) with rules to detect and block directory traversal attempts. Regularly review and harden the server's file permissions to minimize the potential impact of a successful attack.
Update Talishar to the version with commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 or later. This corrects the Path Traversal vulnerability in the gameName parameter.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28429 is a Path Traversal vulnerability in Talishar, allowing attackers to potentially access unauthorized files by manipulating the gameName parameter in ParseGamestate.php.
You are affected if you are using a version of Talishar prior to 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 and the ParseGamestate.php script is directly accessible.
Upgrade Talishar to version 6be3871 or later. Alternatively, restrict direct access to ParseGamestate.php and implement WAF rules to block directory traversal attempts.
No active exploitation has been confirmed at this time, but vigilance is still advised.
Refer to the project's repository or communication channels for the official advisory regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.