CVE-2026-15326

medium

Description

A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.

References

https://vuldb.com/vuln/377265/cti

https://vuldb.com/vuln/377265

https://vuldb.com/submit/853064

https://vuldb.com/cve/CVE-2026-15326

https://github.com/halo-dev/halo/issues/10062

https://github.com/halo-dev/halo/

Details

Source: Mitre, NVD

Published: 2026-07-10

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 3.8

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Severity: Low

CVSS v4

Base Score: 5.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Severity: Medium