GCVE - cpe:2.3:a:fit2cloud:halo:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:fit2cloud:halo:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Fit2Cloud (`c8671a2b-c20a-5faf-aa4d-02770d5e105b`)
Product	Halo (`cdb3a7d0-9bc9-572b-8367-c4921e1861c5`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/halo-dev/halo`	purl2cpe	2026-06-01 10:12:27.672903

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-14117`	vulnerable	2026-06-08 07:06:33.627781	fit2cloud Halo cross-site request forgery MEDIUM (4.3) A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published: 2025-12-06T05:32:06.404Z Updated: 2026-02-24T05:41:46.084Z Open on db.gcve.eu Reference links https://vuldb.com/?id.334494 https://vuldb.com/?ctiid.334494 https://vuldb.com/?submit.697391 https://blksword.flowus.cn/ https://github.com/BlkSword/POC	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-22124`	vulnerable	2026-06-08 05:40:06.032944	Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image MEDIUM (5.4) In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser. Published: 2022-01-13T16:45:16.379Z Updated: 2024-09-17T02:42:04.777Z Open on db.gcve.eu Reference links https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30 https://github.com/halo-dev/halo/issues/1575 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-22123`	vulnerable	2026-06-08 05:40:06.032445	Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title MEDIUM (5.4) In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server. Published: 2022-01-13T16:45:14.866Z Updated: 2024-09-17T01:51:59.138Z Open on db.gcve.eu Reference links https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391 https://github.com/halo-dev/halo/issues/1557 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.