halo CVE Vulnerabilities & Metrics

Focus on halo vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About halo Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with halo. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total halo CVEs: 26
Earliest CVE date: 12 May 2018, 04:29 UTC
Latest CVE date: 11 Sep 2024, 15:15 UTC

Latest CVE reference: CVE-2024-43793

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical halo CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.0

Max CVSS: 10.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	8
4.0-6.9	11
7.0-8.9	6
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS halo CVEs

These are the five CVEs with the highest CVSS scores for halo, sorted by severity first and recency.

CVE-2020-21523 halo Published on 30 Sep 2020, 18:15 UTC (CVSS: 10.0)
A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. The ftl file can be edited. This is the Freemarker template file. This file can cause arbitrary code execution when it is rendered in the background. exp: <#assign test="freemarker.template.utility.Execute"?new()> ${test("touch /tmp/freemarkerPwned")}
CVE-2020-21527 halo Published on 30 Sep 2020, 18:15 UTC (CVSS: 8.5)
There is an Arbitrary file deletion vulnerability in halo v1.1.3. A backup function in the background allows a user, when deleting their backup files, to delete any files on the system through directory traversal.
CVE-2022-32995 halo Published on 27 Jun 2022, 23:15 UTC (CVSS: 7.5)
Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.
CVE-2022-32994 halo Published on 27 Jun 2022, 23:15 UTC (CVSS: 7.5)
Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.
CVE-2020-18980 halo Published on 12 Jul 2021, 15:15 UTC (CVSS: 7.5)
Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.

All CVEs for halo

CVE-2024-43793 halo vulnerability CVSS: 0 11 Sep 2024, 15:15 UTC

Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.

CVE-2024-43792 halo vulnerability CVSS: 0 02 Sep 2024, 18:15 UTC

Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability.

CVE-2023-27164 halo vulnerability CVSS: 0 10 Mar 2023, 16:15 UTC

An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file.

CVE-2022-32995 halo vulnerability CVSS: 7.5 27 Jun 2022, 23:15 UTC

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.

CVE-2022-32994 halo vulnerability CVSS: 7.5 27 Jun 2022, 23:15 UTC

Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.

CVE-2022-26619 halo vulnerability CVSS: 5.0 05 Apr 2022, 01:15 UTC

Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.

CVE-2021-43659 halo vulnerability CVSS: 3.5 24 Mar 2022, 14:15 UTC

In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.

CVE-2022-22125 halo vulnerability CVSS: 3.5 13 Jan 2022, 17:15 UTC

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server.

CVE-2020-23079 halo vulnerability CVSS: 5.0 12 Jul 2021, 17:15 UTC

SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.

CVE-2020-19038 halo vulnerability CVSS: 6.4 12 Jul 2021, 17:15 UTC

File Deletion vulnerability in Halo 0.4.3 via delBackup.

CVE-2020-19037 halo vulnerability CVSS: 5.0 12 Jul 2021, 17:15 UTC

Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.

CVE-2020-18982 halo vulnerability CVSS: 3.5 12 Jul 2021, 17:15 UTC

Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.

CVE-2020-18980 halo vulnerability CVSS: 7.5 12 Jul 2021, 15:15 UTC

Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.

CVE-2020-18979 halo vulnerability CVSS: 4.3 12 Jul 2021, 15:15 UTC

Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter.

CVE-2020-21345 halo vulnerability CVSS: 4.3 20 May 2021, 17:15 UTC

Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code.

CVE-2020-21527 halo vulnerability CVSS: 8.5 30 Sep 2020, 18:15 UTC

There is an Arbitrary file deletion vulnerability in halo v1.1.3. A backup function in the background allows a user, when deleting their backup files, to delete any files on the system through directory traversal.

CVE-2020-21526 halo vulnerability CVSS: 7.5 30 Sep 2020, 18:15 UTC

An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.

CVE-2020-21525 halo vulnerability CVSS: 5.0 30 Sep 2020, 18:15 UTC

Halo V1.1.3 is affected by: Arbitrary File reading. In an interface that reads files in halo v1.1.3, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.

CVE-2020-21524 halo vulnerability CVSS: 6.4 30 Sep 2020, 18:15 UTC

There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc. exp:https://github.com/halo-dev/halo/issues/423

CVE-2020-21523 halo vulnerability CVSS: 10.0 30 Sep 2020, 18:15 UTC

A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. The ftl file can be edited. This is the Freemarker template file. This file can cause arbitrary code execution when it is rendered in the background. exp: <#assign test="freemarker.template.utility.Execute"?new()> ${test("touch /tmp/freemarkerPwned")}

CVE-2020-21522 halo vulnerability CVSS: 7.5 30 Sep 2020, 18:15 UTC

An issue was discovered in halo V1.1.3. A Zip Slip Directory Traversal Vulnerability in the backend,the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system.

CVE-2020-19007 halo vulnerability CVSS: 3.5 26 Aug 2020, 14:15 UTC

Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser.

CVE-2019-19999 halo vulnerability CVSS: 6.5 26 Dec 2019, 04:15 UTC

Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.

CVE-2019-16890 halo vulnerability CVSS: 3.5 25 Sep 2019, 21:15 UTC

Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.

CVE-2018-11012 halo vulnerability CVSS: 4.3 12 May 2018, 04:29 UTC

ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.

CVE-2018-11011 halo vulnerability CVSS: 4.3 12 May 2018, 04:29 UTC

ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java.