Platform
other
Component
home-gallery
Fixed in
1.21.1
CVE-2026-28679 describes a Path Traversal vulnerability discovered in HomeGallery, a self-hosted web gallery application. This flaw allows unauthorized users to potentially download sensitive system files by manipulating download requests. The vulnerability impacts versions of HomeGallery prior to 1.21.0, and a patch has been released in version 1.21.0.
An attacker exploiting this vulnerability could bypass intended access controls and retrieve arbitrary files from the server's file system. This includes potentially sensitive configuration files, source code, or even private user data. The blast radius extends beyond the web gallery itself, potentially exposing the entire server's contents. While no direct remote code execution is possible, the exposure of sensitive data could lead to further compromise, such as credential theft and lateral movement within the network. The ability to download system files represents a significant security risk.
CVE-2026-28679 was publicly disclosed on 2026-03-06. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively straightforward nature of path traversal vulnerabilities, it is prudent to assume potential for exploitation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28679 is to immediately upgrade HomeGallery to version 1.21.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal patterns (e.g., '../'). Restrict file permissions on the media source directory to prevent unauthorized access. Regularly review and audit file access logs for any unusual activity. After upgrading, confirm the fix by attempting a download request with a path traversal payload (e.g., /../../../../etc/passwd) and verifying that access is denied.
Update HomeGallery to version 1.21.0 or higher. This version fixes the path traversal vulnerability that allows arbitrary file reading.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28679 is a Path Traversal vulnerability affecting HomeGallery versions prior to 1.21.0, allowing attackers to potentially download sensitive system files.
You are affected if you are using HomeGallery version 1.21.0 or earlier. Upgrade to 1.21.0 to resolve the vulnerability.
Upgrade HomeGallery to version 1.21.0. As a temporary workaround, implement a WAF rule to block suspicious path traversal patterns.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the HomeGallery project's official website and security advisories for the latest information: https://home-gallery.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.