A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.
History

Fri, 10 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 10 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.
Title halo-dev halo Theme Installation ThemeUtils.java ThemeUtils.unzipThemeTo path traversal
First Time appeared Halo
Halo halo
Weaknesses CWE-22
CPEs cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*
Vendors & Products Halo
Halo halo
References
Metrics cvssV2_0

{'score': 4.7, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-10T14:04:36.292Z

Reserved: 2026-07-09T18:20:45.794Z

Link: CVE-2026-15326

cve-icon Vulnrichment

Updated: 2026-07-10T14:04:30.374Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T12:45:04Z