Skip to main content

Halo CMS CVE-2026-55439

| EUVDEUVD-2026-39465 MEDIUM
Path Traversal (CWE-22)
2026-06-25 GitHub_M
5.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
vuln.today AI
5.5 MEDIUM

Admin authentication required (PR:H); network-accessible endpoint (AV:N); read-only filesystem access (I:N); low availability impact from unsanitized backup status fields.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 18:03 EUVD
Analysis Generated
Jun 25, 2026 - 17:22 vuln.today

DescriptionCVE.org

Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint (GET /apis/console.api.migration.halo.run/v1alpha1/backups/{name}/files/{filename}) in MigrationServiceImpl.download() resolves the backup filename via Path.resolve() without validating that the resolved path stays within the designated backups directory. Also, the Backup creation endpoint (POST /apis/migration.halo.run/v1alpha1/backups) does not sanitize the status fields during creation This vulnerability is fixed in 2.24.3.

AnalysisAI

Path traversal in Halo's backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem, bypassing directory boundaries. Affected are all Halo deployments prior to version 2.24.3, where the MigrationServiceImpl.download() method invokes Path.resolve() on attacker-supplied filenames without enforcing containment within the designated backups directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Halo administrator credentials
Delivery
Authenticate to admin console or API
Exploit
Craft GET request with path traversal in {filename} parameter
Execution
MigrationServiceImpl.download() calls Path.resolve() without boundary check
Persist
Server resolves path outside backup directory
Impact
Arbitrary server file content returned to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Halo administrator session (PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.5 (Medium) reflects the meaningful constraint imposed by PR:H - exploitation requires a fully authenticated administrator session, not merely any logged-in user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Halo administrator credentials - through phishing, credential reuse, or prior compromise - authenticates to the admin console and issues a crafted GET request to the backup download endpoint with a filename parameter containing path traversal sequences such as ../../etc/passwd or ../../app/config/application.yaml. Because Path.resolve() normalizes the traversal without boundary enforcement, the server returns the content of the targeted file. …
Remediation Upgrade to Halo 2.24.3, which introduces proper path boundary validation in MigrationServiceImpl.download() and sanitization of status fields in the backup creation endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Halo

View all
CVE-2022-32995 CRITICAL POC
9.8 Jun 27

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function

CVE-2022-32994 CRITICAL POC
9.8 Jun 27

Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachment

CVE-2020-21526 CRITICAL POC
9.8 Sep 30

An Arbitrary file writing vulnerability in halo v1.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2020-21523 CRITICAL POC
9.8 Sep 30

A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. Rated crit

CVE-2020-21522 CRITICAL POC
9.8 Sep 30

An issue was discovered in halo V1.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2020-21524 CRITICAL POC
9.1 Sep 30

There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the backgrou

CVE-2025-70886 HIGH POC
7.5 Feb 12

An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the

CVE-2022-26619 HIGH POC
7.5 Apr 05

Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function. Ra

CVE-2020-21525 HIGH POC
7.5 Sep 30

Halo V1.1.3 is affected by: Arbitrary File reading. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2019-19999 HIGH POC
7.2 Dec 26

Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is no

CVE-2024-43793 MEDIUM POC
6.4 Sep 11

Halo is an open source website building tool. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitab

CVE-2024-43792 MEDIUM POC
6.1 Sep 02

Halo is an open source website building tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitab

Share

CVE-2026-55439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy