CVE-2026-15326
Received Received - Intake

Path Traversal in Halo CMS Theme Installation

Vulnerability report for CVE-2026-15326, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulDB

Description

A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of the argument metadata.name leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project closed the issue as "duplicate" but did not reference any other issue, report, or CVE.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
halo-dev halo to 2.24.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15326 is an Arbitrary File Write vulnerability in the Halo Project, affecting versions up to 2.24.2. It occurs in the theme installation feature, specifically in the function ThemeUtils.unzipThemeTo, due to improper validation of the metadata.name field in theme.yaml.

An attacker with theme management permissions can manipulate the metadata.name argument to include path traversal sequences (e.g., ../), causing files to be written outside the intended themes directory. This allows writing files into sensitive locations such as the public static directory.

The vulnerability arises because the code does not properly normalize or validate the target path during theme installation, enabling attackers to inject arbitrary files remotely.

Impact Analysis

This vulnerability can lead to arbitrary file writes on the server hosting the Halo application. An attacker can write malicious files into directories like the public static directory.

  • Persistent content injection or stored cross-site scripting (XSS) attacks by injecting malicious HTML or JavaScript.
  • Potential compromise of the server if the Halo process has write permissions to sensitive directories, leading to further exploitation.
  • Remote exploitation with low attack complexity and network-based attack vector, requiring only theme management privileges.
Detection Guidance

This vulnerability can be detected by monitoring for unusual file writes outside the intended theme directories, especially writes to the public static directory such as /static. Since the exploit involves manipulation of the metadata.name field in theme.yaml to perform path traversal, inspecting theme installation requests for suspicious path traversal patterns like '../' in metadata.name is key.

You can check for unexpected files or changes in the /static directory or other sensitive directories where the Halo process has write permissions.

While no specific commands are provided in the resources, general detection commands could include:

  • Searching for recently modified or created files in the static directory: `find /path/to/halo/static -type f -mtime -7` (to find files modified in the last 7 days)
  • Checking theme.yaml files for suspicious metadata.name values containing path traversal sequences: `grep -r 'metadata.name: ..' /path/to/halo/themes/`
  • Monitoring logs for theme installation requests that include path traversal patterns.
Mitigation Strategies

Immediate mitigation steps include validating and sanitizing the metadata.name field in theme.yaml to reject absolute paths or names containing path separators that enable path traversal.

You should apply patches or updates that normalize and validate the target path during theme installation to prevent writing files outside the intended directories.

Restrict theme management permissions to trusted users only, as exploitation requires theme management privileges.

Monitor and audit file writes in the public static directory and other sensitive directories to detect and respond to suspicious activity.

If possible, temporarily disable theme installation functionality until a patch or fix is applied.

Compliance Impact

The vulnerability allows an attacker with theme management permissions to perform arbitrary file writes via path traversal, potentially leading to persistent content injection or stored cross-site scripting (XSS). This could result in unauthorized modification or injection of malicious content on the affected system.

Such unauthorized file writes and potential XSS attacks may lead to data integrity and security issues, which could impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality, integrity, and availability.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations or specific controls that might be violated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15326. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart