CVE-2026-27600

Name of the Vulnerable Software and Affected Versions HomeBox versions prior to 0.24.0-rc.1

Description HomeBox is a home inventory and organization system. The notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. There is no validation applied to the supplied host, IP address, or port. The application’s user interface behavior differs based on the network state of the destination, creating a behavioral side-channel that enables internal service enumeration. The application does not return the response body from the target service.

Recommendations Update to version 0.24.0-rc.1 or later.