Path Traversal Vulnerability in Halo Website Builder by Halo Dev
CVE-2026-55439

5.5MEDIUM

Key Information:

Vendor: Halo-dev
Status: Halo
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-55439?

Halo, an open-source website building tool, contains a path traversal vulnerability in the backup download endpoint prior to version 2.24.3. This flaw allows authenticated administrators to access arbitrary files from the server's filesystem. Specifically, the vulnerability arises from a lack of validation when resolving backup filenames, as the endpoint does not ensure that the resolved paths remain within a specified backups directory. Additionally, there are issues with sanitization in the backup creation endpoint. These security weaknesses highlight critical security risks for users and require immediate attention to ensure data integrity.

Affected Version(s)

halo < 2.24.3

References

https://github.com/halo-dev/halo/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/halo-dev/halo/issues/10064

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55439 Data

JSON

Halo-dev

What is CVE-2026-55439?

Affected Version(s)

References

CVSS V3.1

Timeline