Description
A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side request forgery (SSRF) exists in the /themes/{name}/upgrade-from-uri endpoint of Halo version 2.22.14. Authenticated attackers can construct GET requests that cause the server to fetch arbitrary URLs, enabling them to discover and obtain data from internal services. This facilitates potential disclosure of sensitive information and may allow further lateral movement.

Affected Systems

Halo version 2.22.14

Risk and Exploitability

The CVSS score is 6.5 and the EPSS score is unavailable, so official severity ratings are limited. The vulnerability requires authenticating to the application, suggesting privileged or legitimate user accounts are needed to trigger the SSRF. Because this flaw allows scanning of internal resources, the risk includes internal network reconnaissance, data exfiltration, and possible exploitation of internal services should the attacker have sufficient privileges. The vulnerability is not listed in the CISA KEV catalog, indicating it is not a known exploited vulnerability at this time.

Generated by OpenCVE AI on May 2, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy firewall rules to block outbound connections from the application to internal IP ranges.
  • Disable the /themes/{name}/upgrade-from-uri endpoint for users who do not require upgrade functionality or remove the endpoint entirely.
  • Limit or remove authenticated access to the upgrade feature so only trusted administrators can use it.
  • Update to the latest Halo release once a fix for the SSRF vulnerability is published.

Generated by OpenCVE AI on May 2, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Authenticated SSRF Enabling Internal Network Scanning

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Halo
Halo halo
Vendors & Products Halo
Halo halo

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.
References

Subscriptions

Halo Halo
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T18:05:40.157Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36759

cve-icon Vulnrichment

Updated: 2026-04-30T18:03:00.884Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T16:16:42.513

Modified: 2026-04-30T18:16:28.770

Link: CVE-2026-36759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses