CVE-2026-26272 is a stored cross-site scripting vulnerability affecting sysadminsmedia's HomeBox, a home inventory and organization system. The vulnerability exists in versions prior to 0.24.0-rc.1 within the item attachment upload functionality. Specifically, the application fails to properly validate or restrict the types of files that authenticated users can upload. This allows attackers to upload files such as HTML or SVG containing malicious JavaScript code. Since these uploaded attachments are accessible via direct URLs, any user who accesses the malicious file will have the embedded JavaScript executed in the context of the HomeBox application's origin. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, or other client-side attacks. Exploitation requires the attacker to have valid credentials (authenticated user) and for a victim to access the malicious file (user interaction). The vulnerability does not affect confidentiality or availability directly but impacts integrity and confidentiality at a limited scope. The CVSS v3.1 base score is 4.6, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction. The vulnerability was publicly disclosed on March 3, 2026, and fixed in version 0.24.0-rc.1. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within the HomeBox application. An attacker with authenticated access can upload malicious files that execute JavaScript in other users' browsers, potentially stealing session tokens, performing unauthorized actions, or delivering further malware. This can lead to unauthorized data access or manipulation within the HomeBox environment. Although the vulnerability does not directly affect system availability, the trustworthiness of the application is undermined, which could lead to user attrition or reputational damage. Organizations using HomeBox for inventory management may face risks of internal data leakage or manipulation, especially if multiple users share access. Since exploitation requires authentication and user interaction, the risk is somewhat mitigated but remains significant in environments with many users or where account compromise is possible. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if attackers develop proof-of-concept exploits.

To mitigate this vulnerability, organizations should upgrade HomeBox to version 0.24.0-rc.1 or later, where the issue is fixed. Until upgrade is possible, administrators should restrict upload permissions strictly to trusted users and consider disabling the attachment upload feature if not essential. Implementing additional server-side validation to restrict file types to safe formats (e.g., disallowing HTML, SVG, or any file types capable of embedding scripts) can reduce risk. Employ Content Security Policy (CSP) headers to limit script execution and reduce the impact of any injected scripts. Educate users to avoid clicking on suspicious or unexpected attachment links. Regularly audit uploaded files for suspicious content. Monitoring application logs for unusual upload activity or access patterns can help detect exploitation attempts. Finally, ensure that authentication mechanisms are robust to prevent unauthorized access that could facilitate exploitation.