CVE-2025-44593

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-44593

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-44593.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-44593

Published

2025-09-09T21:15:36.020Z

Modified

2026-04-10T05:26:49.653767Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13

References

https://meadow-horn-b94.notion.site/halo-File-Upload-Vulnerability-14c42bd5b11880d58e11cd976f8e9d4f

Affected packages

Git / github.com/halo-dev/halo

Affected ranges

Type

GIT

Repo

https://github.com/halo-dev/halo

Events

Introduced

Fixed

e8ca93396fa6864b8962261064dc5a0601ab3f22

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.20.13"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v0.1

v0.1.1

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.1

v1.2.0

v1.3.0

v1.3.0-beta.1

v1.3.0-beta.2

v1.3.0-beta.3

v1.3.0-beta.4

v1.3.1

v1.3.2

v1.4.0

v1.4.0-beta.1

v1.4.0-beta.2

v1.4.0-beta.3

v1.4.1

v1.4.11

v1.4.12

v1.4.13

v1.4.2

v1.4.3

v1.4.3-beta.1

v1.4.3-beta.2

v1.4.3-beta.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.7-beta.1

v1.4.8

v1.4.9

v1.5.0-alpha.1

v2.*

v2.0.0

v2.0.0-alpha.1

v2.0.0-alpha.2

v2.0.0-alpha.3

v2.0.0-alpha.4

v2.0.0-beta.1

v2.0.0-beta.2

v2.0.0-rc.1

v2.0.0-rc.2

v2.1.0

v2.1.0-rc.1

v2.10.0

v2.10.0-alpha.1

v2.10.0-beta.1

v2.11.0

v2.11.0-rc.1

v2.11.0-rc.2

v2.12.0

v2.12.0-alpha.1

v2.12.0-alpha.2

v2.12.0-beta.1

v2.12.0-beta.2

v2.12.0-rc.1

v2.12.0-rc.2

v2.12.3

v2.13.0

v2.13.0-rc.1

v2.14.0

v2.14.0-rc.1

v2.15.0

v2.15.0-rc.1

v2.16.0

v2.16.0-rc.1

v2.16.0-rc.2

v2.17.0

v2.17.0-alpha.1

v2.17.0-alpha.2

v2.17.0-beta.1

v2.17.0-rc.1

v2.18.0

v2.18.0-rc.1

v2.19.0

v2.19.0-rc.1

v2.19.0-rc.2

v2.19.0-rc.3

v2.19.0-rc.4

v2.2.0

v2.20.0

v2.20.0-rc.1

v2.20.0-rc.2

v2.20.1

v2.20.10

v2.20.11

v2.20.12

v2.20.2

v2.20.3

v2.20.4

v2.20.5

v2.20.6

v2.20.7

v2.20.8

v2.20.9

v2.3.0

v2.3.0-rc.1

v2.4.0

v2.4.0-rc.1

v2.5.0

v2.5.0-rc.1

v2.5.0-rc.2

v2.5.1

v2.6.0

v2.6.0-rc.1

v2.7.0

v2.7.0-rc.1

v2.7.0-rc.2

v2.8.0

v2.8.0-rc.1

v2.8.0-rc.2

v2.9.0

v2.9.0-rc.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-44593.json"