CVE-2026-28679

HIGH

Home-Gallery.org <1.21.0 - Path Traversal

Title source: llm

Description

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system files being downloadable as well. This issue has been patched in version 1.21.0.

References (2)

[Release Notes] https://github.com/xemle/home-gallery/releases/tag/v1.21.0

[Vendor Advisory] https://github.com/xemle/home-gallery/security/advisories/GHSA-xj65-hcj5-h6j3

Scores

CVSS v3 8.6

EPSS 0.0004

EPSS Percentile 13.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Classification

CWE

CWE-22

Status draft

Timeline

Published Mar 06, 2026

Tracked Since Mar 06, 2026