Cyber Resilience

CVE-2026-28429

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0046 64.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28429 is a high-severity Path Traversal (CWE-22) vulnerability in Talishar Talishar. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28429 is a path traversal vulnerability (CWE-22) affecting Talishar, a fan-made web project for the Flesh and Blood trading card game. The issue resides in the ParseGamestate.php component, specifically the gameName parameter, in versions prior to commit 6be3871. Although the application's main entry points include input validation, direct access to ParseGamestate.php as a standalone script bypasses this, allowing directory traversal sequences like "../" to be processed without sanitization. This can result in unauthorized access to files on the server. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By crafting a request to ParseGamestate.php with a malicious gameName parameter containing traversal payloads, an unauthenticated attacker can read arbitrary files accessible to the web server process, potentially exposing sensitive configuration files, user data, or other server resources.

The vulnerability has been addressed in commit 6be3871 of the Talishar repository, which patches the sanitization issue in ParseGamestate.php. Security practitioners should update to this commit or later. Additional details are available in the GitHub security advisory (GHSA-f386-xhcw-jrx8) and the patch commit (6be3871a14c192d1fb8146cdbc76f29f27c1cf48).

EU & UK References

Vulnerability details

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a…

more

standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing web script (ParseGamestate.php) directly enables remote unauthenticated file read (T1190 initial access via public app exploit); this facilitates arbitrary local file collection for sensitive data (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

talishar
talishar
≤ 2026-02-22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring validation and sanitization of the gameName parameter in ParseGamestate.php to block directory traversal sequences like ../.

prevent

Requires timely application of the patch in commit 6be3871, which addresses the sanitization flaw in ParseGamestate.php allowing unauthorized file access.

prevent

Enforces least privilege on the web server process to restrict access to files outside intended directories, mitigating impact even if traversal payloads bypass validation.

References