Halo

halo

Vendor: Halo • 33 CVEs

CVEs (33)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-70886 1Halo 1Halo Feb 18, 2026 Feb 12, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the public comment submission endpoint
CVE-2025-15141 1Halo 1Halo Apr 29, 2026 Dec 28, 2025 1.3 LOW· v4 3.1 LOW· v3 2.1 LOW· v2 A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure....Show more A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-44595 1Halo 1Halo Sep 18, 2025 Sep 9, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.
CVE-2025-44593 1Halo 1Halo Sep 18, 2025 Sep 9, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20...Show more Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13Show less
CVE-2025-44594 1Halo 1Halo Sep 17, 2025 Sep 9, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url.
CVE-2024-56156 1Halo 1Halo Feb 3, 2026 Apr 25, 2025 5.5 MEDIUM· v4 9.0 CRITICAL· v3 N/A· v2 Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including execut...Show more Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13.Show less
CVE-2024-43793 1Halo 1Halo Sep 16, 2024 Sep 11, 2024 N/A· v4 6.4 MEDIUM· v3 N/A· v2 Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's...Show more Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.Show less
CVE-2024-43792 1Halo 1Halo Sep 16, 2024 Sep 2, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's...Show more Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability.Show less
CVE-2023-33528 1Halo 1Halo Mar 28, 2025 Mar 28, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 halo v1.6.0 is vulnerable to Cross Site Scripting (XSS).
CVE-2023-27164 1Halo 1Halo Nov 21, 2024 Mar 10, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file.
CVE-2022-32995 1Halo 1Halo Nov 21, 2024 Jun 27, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.
CVE-2022-32994 1Halo 1Halo Nov 21, 2024 Jun 27, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.
CVE-2022-26619 1Halo 1Halo Nov 21, 2024 Apr 5, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.
CVE-2021-43659 1Halo 1Halo Nov 21, 2024 Mar 24, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.
CVE-2022-22125 1Halo 1Halo Nov 21, 2024 Jan 13, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s se...Show more In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server.Show less
CVE-2020-23079 1Halo 1Halo Nov 21, 2024 Jul 12, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.
CVE-2020-19038 1Halo 1Halo Nov 21, 2024 Jul 12, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 File Deletion vulnerability in Halo 0.4.3 via delBackup.
CVE-2020-19037 1Halo 1Halo Nov 21, 2024 Jul 12, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.
CVE-2020-18982 1Halo 1Halo Nov 21, 2024 Jul 12, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.
CVE-2020-18980 1Halo 1Halo Nov 21, 2024 Jul 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.

12 Next