{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28429", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.137Z", "datePublished": "2026-03-06T04:59:49.629Z", "dateUpdated": "2026-03-09T19:45:39.377Z"}, "containers": {"cna": {"title": "Talishar: Critical Path Traversal in gameName Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-f386-xhcw-jrx8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-f386-xhcw-jrx8"}, {"name": "https://github.com/Talishar/Talishar/commit/6be3871a14c192d1fb8146cdbc76f29f27c1cf48", "tags": ["x_refsource_MISC"], "url": "https://github.com/Talishar/Talishar/commit/6be3871a14c192d1fb8146cdbc76f29f27c1cf48"}], "affected": [{"vendor": "Talishar", "product": "Talishar", "versions": [{"version": "< 6be3871a14c192d1fb8146cdbc76f29f27c1cf48", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:59:49.629Z"}, "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871."}], "source": {"advisory": "GHSA-f386-xhcw-jrx8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:45:28.527333Z", "id": "CVE-2026-28429", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:45:39.377Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28429", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:45:28.527333Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:45:34.903Z"}}], "cna": {"title": "Talishar: Critical Path Traversal in gameName Parameter", "source": {"advisory": "GHSA-f386-xhcw-jrx8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Talishar", "product": "Talishar", "versions": [{"status": "affected", "version": "< 6be3871a14c192d1fb8146cdbc76f29f27c1cf48"}]}], "references": [{"url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-f386-xhcw-jrx8", "name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-f386-xhcw-jrx8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Talishar/Talishar/commit/6be3871a14c192d1fb8146cdbc76f29f27c1cf48", "name": "https://github.com/Talishar/Talishar/commit/6be3871a14c192d1fb8146cdbc76f29f27c1cf48", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:59:49.629Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28429", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:45:39.377Z", "dateReserved": "2026-02-27T15:54:05.137Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:59:49.629Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:talishar:talishar:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB6EC428-F449-46D5-B308-45979347E391", "versionEndExcluding": "2026-02-22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871."}, {"lang": "es", "value": "Talishar es un proyecto de Flesh and Blood creado por fans. Antes del commit 6be3871, una vulnerabilidad de salto de ruta fue identificada en el par\u00e1metro gameName. Aunque los puntos de entrada principales de la aplicaci\u00f3n implementan validaci\u00f3n de entrada, el componente ParseGamestate.PHP puede ser accedido directamente como un script independiente. En este escenario, la ausencia de saneamiento interno permite que secuencias de salto de directorio (p. ej., ../) sean procesadas, lo que podr\u00eda llevar a un acceso no autorizado a archivos. Este problema ha sido parcheado en el commit 6be3871."}], "id": "CVE-2026-28429", "lastModified": "2026-04-20T12:54:48.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:31.890", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Talishar/Talishar/commit/6be3871a14c192d1fb8146cdbc76f29f27c1cf48"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-f386-xhcw-jrx8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,6be3871a14c192d1fb8146cdbc76f29f27c1cf48)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Talishar", "source": "cna", "vendor": "Talishar"}, "product": "talishar", "vendor": "talishar"}], "analysis": {"en": {"generated_at": "2026-04-16T11:33:26.084628+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit 6be3871 or update Talishar to a version that includes the fix.", "Restrict direct access to ParseGamestate.php so it can only be invoked from the intended application entry points or via web server configuration rules.", "Validate and sanitize the gameName parameter to reject traversal sequences and enforce an allowed character set or whitelist."], "summary": {"action": "Apply Patch", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "Talishar's fan\u2011made Flesh and Blood project is affected. The vulnerability applies to all builds that include the ParseGamestate.php script before commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. No specific version string is supplied.", "description_and_impact": "The vulnerability is a path traversal flaw in the ParseGamestate.php component of the Talishar project. Because that component can be invoked directly, the absence of internal sanitization allows a user to supply directory traversal sequences such as '../' in the gameName parameter. In this scenario the web server passes the unverified path to the file system, potentially exposing confidential files to an unauthenticated visitor. The flaw does not grant code execution, but it can lead to the disclosure of sensitive content stored on the server.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the issue as high severity, while an EPSS score of less than 1% indicates that active exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to ParseGamestate.php with a crafted gameName parameter containing traversal sequences. No special privileges or authentication appear to be required, so a publicly connected attacker could trigger the fault and read arbitrary files readable by the web server process. The impact is primarily confidentiality loss."}}}}, "created": "2026-03-06T14:55:40.629688+00:00", "updated": "2026-04-16T11:45:26.260919+00:00", "vendors": ["talishar", "talishar$PRODUCT$talishar"]}