CVE-2025-44594

Critical CVSS: 9.1

halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url.

Vendor

Product

CWE

Yayın Tarihi

2025-09-09 20:15:40

Güncelleme

2025-09-17 19:34:21

Source Identifier

cve@mitre.org

KEV Date Added

CWE-918 Halo CRITICAL Halo 2025

https://meadow-horn-b94.notion.site/halo-ssrf-14c42bd5b11880c09936df07f58f5bed?pvs=74

High

CVE-2025-70886

An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the…

Low

CVE-2025-15141

A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator o…

Medium

CVE-2025-44593

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. S…

Medium

CVE-2025-44595

Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.

Medium

CVE-2024-56156

Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypa…