CVE-2026-15326 PUBLISHED

halo-dev halo Theme Installation ThemeUtils.java ThemeUtils.unzipThemeTo path traversal

Assigner: VulDB
Reserved: 09.07.2026 Published: 10.07.2026 Updated: 10.07.2026

A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.1

Product Status

Vendor halo-dev
Product halo
Versions
  • Version 2.24.0 is affected
  • Version 2.24.1 is affected
  • Version 2.24.2 is affected

Credits

  • rekczh (VulDB User) reporter
  • VulDB CNA Team coordinator

References

Problem Types

  • Path Traversal CWE