CVE-2026-28429
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Tags
Description
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone script. In this scenario, the absence of internal sanitization allows for directory traversal sequences (e.g., ../) to be processed, potentially leading to unauthorized file access. This issue has been patched in commit 6be3871.
Analysis
ParseGamestate.php in Talishar allows unauthenticated remote attackers to read arbitrary files through path traversal in the gameName parameter when the script is accessed directly, bypassing input validation present in primary application entry points. An attacker can exploit this vulnerability to access sensitive files on the affected server without authentication or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Talishar and assess business criticality. Within 7 days: Implement network segmentation to restrict Talishar application access, deploy WAF rules to block path traversal payloads in gameName parameters (detect patterns like ../ and URL encoding variants), and disable the gameName parameter if operationally feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today