5 matches found
CVE-2026-40196
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...
CVE-2026-40196
HomeBox (home inventory system) versions prior to 0.25.0 are affected by an access control flaw where a user’s defaultGroup ID remains assigned after being invited to a group, and revocation via the web interface does not apply to the API. The root cause is that the original group ID persists as ...
CVE-2026-40196 HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...
CVE-2026-27981 HomeBox has an Auth Rate Limit Bypass via IP Spoofing
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...
CVE-2025-53108 HomeBox Missing User Authorization
HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item...