Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
Admin authentication required (PR:H); network-accessible endpoint (AV:N); read-only filesystem access (I:N); low availability impact from unsanitized backup status fields.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint (GET /apis/console.api.migration.halo.run/v1alpha1/backups/{name}/files/{filename}) in MigrationServiceImpl.download() resolves the backup filename via Path.resolve() without validating that the resolved path stays within the designated backups directory. Also, the Backup creation endpoint (POST /apis/migration.halo.run/v1alpha1/backups) does not sanitize the status fields during creation This vulnerability is fixed in 2.24.3.
AnalysisAI
Path traversal in Halo's backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem, bypassing directory boundaries. Affected are all Halo deployments prior to version 2.24.3, where the MigrationServiceImpl.download() method invokes Path.resolve() on attacker-supplied filenames without enforcing containment within the designated backups directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Halo administrator session (PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.5 (Medium) reflects the meaningful constraint imposed by PR:H - exploitation requires a fully authenticated administrator session, not merely any logged-in user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Halo administrator credentials - through phishing, credential reuse, or prior compromise - authenticates to the admin console and issues a crafted GET request to the backup download endpoint with a filename parameter containing path traversal sequences such as ../../etc/passwd or ../../app/config/application.yaml. Because Path.resolve() normalizes the traversal without boundary enforcement, the server returns the content of the targeted file. … |
| Remediation | Upgrade to Halo 2.24.3, which introduces proper path boundary validation in MigrationServiceImpl.download() and sanitization of status fields in the backup creation endpoint. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function
Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachment
An Arbitrary file writing vulnerability in halo v1.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remote
A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. Rated crit
An issue was discovered in halo V1.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the backgrou
An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the
Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function. Ra
Halo V1.1.3 is affected by: Arbitrary File reading. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is no
Halo is an open source website building tool. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitab
Halo is an open source website building tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitab
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39465