XSS in Halo
CVE-2025-44593
Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.002 (14.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Affected products
- Halo
- N/a — versions n/a
Weakness classification (CWE)
References
- cve@mitre.org (Broken Link)
Frequently asked questions
- What is CVE-2025-44593?
- CVE-2025-44593 is a medium-severity vulnerability in Halo, classified under Cross-site Scripting. CVSS score: 6.1/10. Published 2025-09-09.
- How severe is CVE-2025-44593?
- Medium severity. CVSS v3 base score is 6.1 out of 10.