CVE-2026-28679
Published: 06 March 2026
Summary
CVE-2026-28679 is a high-severity Path Traversal (CWE-22) vulnerability in Home-Gallery Homegallery. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of file path inputs in download requests to ensure they remain within the media source directory, directly preventing path traversal exploitation.
Enforces logical access controls to restrict application-mediated file downloads to authorized media directory contents only, blocking access to sensitive system files.
Mandates timely remediation of the path traversal flaw through patching to version 1.21.0, eliminating the vulnerability as addressed in the project's security advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app directly enables T1190 exploitation for initial access; arbitrary file read facilitates T1005 data collection from local system and T1552.001 credential theft from files.
NVD Description
Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the requested file is located within the media source directory, which…
more
can result in sensitive system files being downloadable as well. This issue has been patched in version 1.21.0.
Deeper analysisAI
CVE-2026-28679 is a path traversal vulnerability (CWE-22) affecting Home-Gallery.org, a self-hosted open-source web gallery for browsing personal photos and videos. In versions prior to 1.21.0, the application fails to verify that a requested download file is located within the designated media source directory. This flaw enables attackers to access and download sensitive system files outside the intended directory. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, lack of required privileges or user interaction, and significant confidentiality impact.
Remote attackers can exploit this vulnerability without authentication by crafting malicious download requests targeting files beyond the media directory. Successful exploitation allows arbitrary file reads, potentially exposing sensitive system information such as configuration files, credentials, or other critical data hosted on the server. The scope is changed (S:C), amplifying the impact within the application's security context.
The issue has been addressed in Home-Gallery.org version 1.21.0, as detailed in the project's GitHub release notes (https://github.com/xemle/home-gallery/releases/tag/v1.21.0) and security advisory (https://github.com/xemle/home-gallery/security/advisories/GHSA-xj65-hcj5-h6j3). Security practitioners should urge users to upgrade to the patched version immediately and review access logs for suspicious download requests.
Details
- CWE(s)