Back to overview

CVE-2026-15326

LOW
3.8
CVSS 3.1
Description
A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.

Metadata

CVE ID
CVE-2026-15326
State
PUBLISHED
Assigner
VulDB
Reserved
2026-07-09 18:20 UTC
Published
2026-07-10 03:15 UTC
Last updated
2026-07-10 03:15 UTC
Primary CWE
CWE-22
Path Traversal
Vendor / Product
halo-dev / halo
Sources
cve.org  ·  NVD

Severity & Metrics

3.8 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R
Affected products (1)
VendorProductPlatformVersions
halo-dev halo 2.24.0, 2.24.1, 2.24.2
Weakness (CWE)
CWESourceDescription
CWE-22 cna Path Traversal
CVSS scores (4)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
4.7 N/D 2.0 cna AV:N/AC:L/Au:M/C:N/I:P/A:P/E:POC/RL:ND/RC:UR
3.8 LOW 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R
3.8 LOW 3.0 cna CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R
References (6)
Back to overview