Product
halo
37 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-70886
CVE-2025-15141
CVE-2025-14117
CVE-2025-44595
CVE-2025-44593
CVE-2025-44594
CVE-2024-56156
CVE-2024-43793
CVE-2024-43792
CVE-2023-33528
CVE-2023-27164
CVE-2022-32995
CVE-2022-32994
CVE-2022-28074
CVE-2022-26619
CVE-2021-43659
CVE-2022-22125
CVE-2022-22124
CVE-2022-22123
CVE-2020-23079
CVE-2020-19038
CVE-2020-19037
CVE-2020-18982
CVE-2020-18980
CVE-2020-18979
CVE-2020-21345
CVE-2020-21527
CVE-2020-21526
CVE-2020-21525
CVE-2020-21524
CVE-2020-21523
CVE-2020-21522
CVE-2020-19007
CVE-2019-19999
CVE-2019-16890
CVE-2018-11012
CVE-2018-11011
<= 2.22.4
An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the public com
<= 2.21.10
A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the comp
all versions
A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site re
<= 2.20.17
Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.
< 2.20.13
Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specificall
<= 2.20.17
halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments
< 2.20.13
Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file ty
< 2.19.0
Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo
< 2.17.0
Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo
all versions
halo v1.6.0 is vulnerable to Cross Site Scripting (XSS).
<= 1.6.1
An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file.
all versions
Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.
all versions
Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.
all versions
Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.
all versions
Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.
all versions
In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will c
>= 1.0.0 and <= 1.4.17
In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authentica
>= 1.0.0 and <= 1.4.17
In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenti
>= 1.0.0 and <= 1.4.17
In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenti
<= 1.3.2
SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.
all versions
File Deletion vulnerability in Halo 0.4.3 via delBackup.
all versions
Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles
all versions
Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.
all versions
Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.
all versions
Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter.
all versions
Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malici
all versions
There is an Arbitrary file deletion vulnerability in halo v1.1.3. A backup function in the background allows a user, when deleting
all versions
An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal ch
all versions
Halo V1.1.3 is affected by: Arbitrary File reading. In an interface that reads files in halo v1.1.3, a directory traversal check i
all versions
There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/ad
all versions
A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. The ftl file can be
all versions
An issue was discovered in halo V1.1.3. A Zip Slip Directory Traversal Vulnerability in the backend,the attacker can overwrite som
all versions
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the
<= 1.1.1
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in
all versions
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
all versions
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.
all versions
ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java.