CVE-2024-56156 MEDIUM

CVE-2024-56156: Halo Vulnerable to Stored XSS and RCE via File Upload Bypass

Vendor Halo-Dev
Product halo
Weakness CWE-79 · XSS
Published April 25, 2025
Last update February 3, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P

What the vulnerability does

01Description

Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13.

Key dates

02Disclosure timeline

April 25, 2025 CVE published
February 3, 2026 Record updated