6.0.1
CVE-2026-28429 describes a Path Traversal vulnerability discovered in Talishar, a fan-made Flesh and Blood project. This vulnerability allows an attacker to potentially access unauthorized files by manipulating the gameName parameter. The issue is present in versions of Talishar prior to commit 6be3871 and has been resolved in that version.
The core of the vulnerability lies in the direct accessibility of the ParseGamestate.php component as a standalone script. While the application's main entry points include input validation, this component lacks internal sanitization. Consequently, an attacker can craft malicious requests containing directory traversal sequences, such as '../', to navigate the file system. Successful exploitation could lead to the disclosure of sensitive configuration files, source code, or other critical data stored on the server. The potential blast radius depends on the server's configuration and the data stored within accessible directories.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept exploits are currently known. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the nature of the vulnerability and the relatively low profile of the project, active exploitation is considered unlikely, but vigilance is still advised.
This vulnerability primarily affects users who are running vulnerable versions of Talishar, particularly those who have exposed the ParseGamestate.php script directly to the internet. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromise of one user's account could potentially lead to access to other users' data.
• php: Examine web server access logs for requests containing directory traversal sequences (e.g., ../).
• php: Search for the ParseGamestate.php file in the webroot and verify that it is not directly accessible.
• generic web: Use curl to test for directory traversal:
curl 'http://your-talishar-server/ParseGamestate.php?gameName=../../../../etc/passwd'• generic web: Monitor file integrity for critical system files to detect unauthorized modifications.
disclosure
漏洞利用状态
EPSS
0.47% (64% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-28429 is to upgrade Talishar to version 6be3871 or later, which includes the necessary input validation fixes. If upgrading is not immediately feasible, restrict direct access to the ParseGamestate.php script by implementing access controls or moving it outside of the webroot. Consider implementing a Web Application Firewall (WAF) with rules to detect and block directory traversal attempts. Regularly review and harden the server's file permissions to minimize the potential impact of a successful attack.
Actualice Talishar a la versión con el commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 o posterior. Esto corrige la vulnerabilidad de Path Traversal en el parámetro gameName.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-28429 is a Path Traversal vulnerability in Talishar, allowing attackers to potentially access unauthorized files by manipulating the gameName parameter in ParseGamestate.php.
You are affected if you are using a version of Talishar prior to 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 and the ParseGamestate.php script is directly accessible.
Upgrade Talishar to version 6be3871 or later. Alternatively, restrict direct access to ParseGamestate.php and implement WAF rules to block directory traversal attempts.
No active exploitation has been confirmed at this time, but vigilance is still advised.
Refer to the project's repository or communication channels for the official advisory regarding this vulnerability.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。