halo 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は パス処理の欠陥、vendor risk ssrf, and vendor risk xxe に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-70886 | An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the public comment submission endpoint | [email protected] | 7.5 | 0.44% | 2026-02-12 | 2026-06-17 |
| CVE-2025-15141 | A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 1.3 | 0.22% | 2025-12-28 | 2026-06-17 |
| CVE-2025-44595 | Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}. | [email protected] | 6.1 | 0.22% | 2025-09-09 | 2026-06-17 |
| CVE-2025-44593 | Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13 | [email protected] | 6.1 | 0.24% | 2025-09-09 | 2026-06-17 |
| CVE-2025-44594 | halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url. | [email protected] | 9.1 | 0.35% | 2025-09-09 | 2026-06-17 |
| CVE-2024-56156 | Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13. | [email protected] | 5.5 | 0.63% | 2025-04-25 | 2026-06-17 |
| CVE-2024-43793 | Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0. | [email protected] | 6.3 | 0.32% | 2024-09-11 | 2026-06-17 |
| CVE-2024-43792 | Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability. | [email protected] | 6.3 | 0.33% | 2024-09-02 | 2026-06-17 |
| CVE-2023-33528 | halo v1.6.0 is vulnerable to Cross Site Scripting (XSS). | [email protected] | 6.1 | 0.31% | 2024-03-28 | 2026-06-17 |
| CVE-2023-27164 | An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file. | [email protected] | 4.8 | 0.70% | 2023-03-10 | 2026-06-17 |
| CVE-2022-32995 | Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. | [email protected] | 9.8 | 15.91% | 2022-06-27 | 2026-06-17 |
| CVE-2022-32994 | Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload. | [email protected] | 9.8 | 16.73% | 2022-06-27 | 2026-06-17 |
| CVE-2022-26619 | Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function. | [email protected] | 7.5 | 0.87% | 2022-04-04 | 2026-06-17 |
| CVE-2021-43659 | In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability. | [email protected] | 5.4 | 0.54% | 2022-03-24 | 2026-06-17 |
| CVE-2022-22125 | In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server. | [email protected] | 4.8 | 0.83% | 2022-01-13 | 2026-06-17 |
| CVE-2020-23079 | SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet. | [email protected] | 7.5 | 1.24% | 2021-07-12 | 2026-06-16 |
| CVE-2020-19038 | File Deletion vulnerability in Halo 0.4.3 via delBackup. | [email protected] | 9.1 | 1.17% | 2021-07-12 | 2026-06-16 |
| CVE-2020-19037 | Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies. | [email protected] | 5.3 | 0.89% | 2021-07-12 | 2026-06-16 |
| CVE-2020-18982 | Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl. | [email protected] | 5.4 | 0.57% | 2021-07-12 | 2026-06-16 |
| CVE-2020-18980 | Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters. | [email protected] | 9.8 | 1.46% | 2021-07-12 | 2026-06-16 |