CVE-2026-15326

Source
https://cve.org/CVERecord?id=CVE-2026-15326
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15326.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15326
Published
2026-07-10T03:15:08.830Z
Modified
2026-07-15T01:49:17.394730060Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
halo-dev halo Theme Installation ThemeUtils.java ThemeUtils.unzipThemeTo path traversal
Details

A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15326.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/halo-dev/halo

Affected ranges

Type
GIT
Repo
https://github.com/halo-dev/halo
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.24.0"
        },
        {
            "last_affected": "2.24.0"
        },
        {
            "introduced": "2.24.1"
        },
        {
            "last_affected": "2.24.1"
        },
        {
            "introduced": "2.24.2"
        },
        {
            "last_affected": "2.24.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2.*
2.24.0
2.24.1
2.24.2
v2.*
v2.24.0
v2.24.1
v2.24.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15326.json"