CVE-2026-28679

{"id": "CVE-2026-28679", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-06T05:16:36.977", "references": [{"url": "https://github.com/xemle/home-gallery/releases/tag/v1.21.0", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xemle/home-gallery/security/advisories/GHSA-xj65-hcj5-h6j3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which can result in sensitive system files being downloadable as well. This issue has been patched in version 1.21.0."}, {"lang": "es", "value": "Home-Gallery.org es una galer\u00eda web de c\u00f3digo abierto autoalojada para explorar fotos y videos personales. Antes de la versi\u00f3n 1.21.0, cuando un usuario solicita una descarga, la aplicaci\u00f3n no verifica si el archivo solicitado se encuentra dentro del directorio de origen de medios, lo que puede resultar en que archivos sensibles del sistema tambi\u00e9n sean descargables. Este problema ha sido parcheado en la versi\u00f3n 1.21.0."}], "lastModified": "2026-03-10T19:54:04.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:home-gallery:homegallery:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF833E3A-4AA0-42A2-82D3-A3DB202EF43B", "versionEndExcluding": "1.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}