CVE-2026-27600

MEDIUM

HomeBox < 0.23.1 - Authenticated Server-Side Request Forgery via Notifier URL Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-27600. PoCs published by G3XAR.

AI-analyzed exploit summary This repository contains a functional SSRF scanner for CVE-2026-27600, targeting Homebox versions < 0.23.1. The exploit leverages the notifier functionality to perform internal port scanning via a blind SSRF vulnerability.

Description

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.

Exploits (1)

github WORKING POC

by G3XAR · pythonpoc

https://github.com/G3XAR/Security-Research/tree/main/CVE-2026-27600

View Code ZIP pw:eip

This repository contains a functional SSRF scanner for CVE-2026-27600, targeting Homebox versions < 0.23.1. The exploit leverages the notifier functionality to perform internal port scanning via a blind SSRF vulnerability.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Homebox < 0.23.1

Auth required

Prerequisites: authenticated user account · access to the notifier functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm

Scores

CVSS v3 5.0

EPSS 0.0019

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

sysadminsmedia/homebox < 0.23.1

Published Mar 03, 2026

Tracked Since Mar 04, 2026