Auth bypass in Sysadminsmedia Homebox

CVE-2025-53108

HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated user…

Vulnerability class: Broken Access Control

EPSS: 0.002 (46.9th percentile) — read the EPSS interpretation.

Affected products

Sysadminsmedia Homebox — versions < 0.20.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-m6vx-pg9q-vq6m (x_refsource_CONFIRM)
https://github.com/sysadminsmedia/homebox/commit/e159dd8a0b5d01d7225795bfba5634781181df20 (x_refsource_MISC)