CVE-2026-28429
Published: 06 March 2026
Summary
CVE-2026-28429 is a high-severity Path Traversal (CWE-22) vulnerability in Talishar Talishar. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28429 is a path traversal vulnerability (CWE-22) affecting Talishar, a fan-made web project for the Flesh and Blood trading card game. The issue resides in the ParseGamestate.php component, specifically the gameName parameter, in versions prior to commit 6be3871. Although the application's main entry points include input validation, direct access to ParseGamestate.php as a standalone script bypasses this, allowing directory traversal sequences like "../" to be processed without sanitization. This can result in unauthorized access to files on the server. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By crafting a request to ParseGamestate.php with a malicious gameName parameter containing traversal payloads, an unauthenticated attacker can read arbitrary files accessible to the web server process, potentially exposing sensitive configuration files, user data, or other server resources.
The vulnerability has been addressed in commit 6be3871 of the Talishar repository, which patches the sanitization issue in ParseGamestate.php. Security practitioners should update to this commit or later. Additional details are available in the GitHub security advisory (GHSA-f386-xhcw-jrx8) and the patch commit (6be3871a14c192d1fb8146cdbc76f29f27c1cf48).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9982
Vulnerability details
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a…
more
standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web script (ParseGamestate.php) directly enables remote unauthenticated file read (T1190 initial access via public app exploit); this facilitates arbitrary local file collection for sensitive data (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the gameName parameter in ParseGamestate.php to block directory traversal sequences like ../.
Requires timely application of the patch in commit 6be3871, which addresses the sanitization flaw in ParseGamestate.php allowing unauthorized file access.
Enforces least privilege on the web server process to restrict access to files outside intended directories, mitigating impact even if traversal payloads bypass validation.