Skip to main content

Htmly

12 CVEs product

Monthly

CVE-2026-57940 LOW Monitor

Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitrary outbound HTTP or local filesystem requests via the RSS feed import feature. The vulnerable `get_feed()` function at `system/admin/admin.php` lines 1549-1551 passes the admin-supplied URL directly to PHP's `file_get_contents()` with no scheme filtering or allowlist validation, enabling access to cloud metadata endpoints (e.g., 169.254.169.254), internal network services, or local files via `file://` wrappers. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 2.1 reflects the high privilege prerequisite and limited confidentiality impact.

SSRF PHP Htmly
NVD GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-45233 HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
CVSS 4.0
7.2
EPSS
0.6%
CVE-2025-56154 MEDIUM This Month

htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads.

XSS Htmly
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-34191 MEDIUM This Month

htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure Htmly
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-30953 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in Htmly v2.9.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link Name parameter of Menu Editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-1087 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in htmly 5.3 whis affects the component Edit Profile Module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.9%
CVE-2022-25022 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Htmly v2.8.1 allows attackers to excute arbitrary web scripts HTML via a crafted payload in the content field of a blog post. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
1.1%
CVE-2021-36703 MEDIUM POC This Month

The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-36702 MEDIUM POC This Month

The "content" field in the "regular post" page of the "add content" menu under "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-36701 CRITICAL POC Act Now

In htmly version 2.8.1, is vulnerable to an Arbitrary File Deletion on the local host when delete backup files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Htmly
NVD GitHub
CVSS 3.1
9.1
EPSS
1.6%
CVE-2021-30637 MEDIUM POC This Month

htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Htmly
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
1.9%
CVE-2019-8349 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in HTMLy 2.7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) destination parameter to delete feature; the (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD
CVSS 3.0
6.1
EPSS
2.2%
EPSS 0% CVSS 2.1
LOW Monitor

Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitrary outbound HTTP or local filesystem requests via the RSS feed import feature. The vulnerable `get_feed()` function at `system/admin/admin.php` lines 1549-1551 passes the admin-supplied URL directly to PHP's `file_get_contents()` with no scheme filtering or allowlist validation, enabling access to cloud metadata endpoints (e.g., 169.254.169.254), internal network services, or local files via `file://` wrappers. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 2.1 reflects the high privilege prerequisite and limited confidentiality impact.

SSRF PHP Htmly
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads.

XSS Htmly
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure Htmly
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in Htmly v2.9.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link Name parameter of Menu Editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in htmly 5.3 whis affects the component Edit Profile Module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Htmly v2.8.1 allows attackers to excute arbitrary web scripts HTML via a crafted payload in the content field of a blog post. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The "content" field in the "regular post" page of the "add content" menu under "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

In htmly version 2.8.1, is vulnerable to an Arbitrary File Deletion on the local host when delete backup files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Htmly
NVD GitHub
EPSS 2% CVSS 5.4
MEDIUM POC This Month

htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Htmly
NVD GitHub Exploit-DB
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in HTMLy 2.7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) destination parameter to delete feature; the (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Htmly
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy