Halo Dev · Halo · CVE-2026-15326
**Name of the Vulnerable Software and Affected Versions**
halo-dev halo versions prior to 2.24.3
**Description**
A path traversal issue exists in the Theme Installation component within the `ThemeUtils.unzipThemeTo()` function of the `ThemeUtils.java` file. This occurs when the `metadata.name` argument is manipulated, allowing a remote attacker to perform path traversal, which is a method used to access files and directories that are stored outside the intended folder.
**Recommendations**
Update halo-dev halo to a version newer than 2.24.2.
As a temporary mitigation, restrict the use of the `ThemeUtils.unzipThemeTo()` function until the update is applied.