CVE-2026-28429
📋 TL;DR
This CVE describes a path traversal vulnerability in Talishar, a fan-made Flesh and Blood project, where the ParseGamestate.php component can be accessed directly without proper input validation. Attackers can use directory traversal sequences (../) in the gameName parameter to potentially access unauthorized files. Anyone running unpatched versions of Talishar is affected.
💻 Affected Systems
- Talishar
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files, passwords, or SSH keys, potentially leading to remote code execution.
Likely Case
Unauthorized reading of arbitrary files on the server, potentially exposing sensitive application data or configuration information.
If Mitigated
No impact if proper input validation and access controls are implemented to prevent direct access to ParseGamestate.php.
🎯 Exploit Status
Exploitation requires direct access to ParseGamestate.php with crafted gameName parameter containing directory traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6be3871
Vendor Advisory: https://github.com/Talishar/Talishar/security/advisories/GHSA-f386-xhcw-jrx8
Restart Required: No
Instructions:
1. Update to commit 6be3871 or later. 2. Apply the patch from https://github.com/Talishar/Talishar/commit/6be3871a14c192d1fb8146cdbc76f29f27c1cf48. 3. Verify that ParseGamestate.php now validates input properly.
🔧 Temporary Workarounds
Restrict access to ParseGamestate.php
allBlock direct access to ParseGamestate.php using web server configuration or application-level controls.
# Apache: <Location "/ParseGamestate.php"> Require all denied </Location>
# Nginx: location = /ParseGamestate.php { deny all; }
Implement input validation
allAdd server-side validation to reject gameName parameters containing directory traversal sequences.
# PHP example: if (strpos($gameName, '..') !== false) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing directory traversal patterns.
- Monitor access logs for attempts to access ParseGamestate.php with suspicious parameters.
🔍 How to Verify
Check if Vulnerable:
Test if accessing ParseGamestate.php directly with a gameName parameter containing ../ sequences returns file contents instead of an error.Check Version:
git log --oneline -1Verify Fix Applied:
Verify that the same test now returns an error or properly sanitized output, and check that the commit hash includes 6be3871.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to ParseGamestate.php with gameName parameter containing ../ sequences
- Unusual file access patterns from web server process
Network Indicators:
- HTTP requests with encoded directory traversal patterns (%2e%2e%2f, ..%2f, etc.)
SIEM Query:
source="web_access_logs" AND uri_path="/ParseGamestate.php" AND (param="*..*" OR param="*%2e%2e*")