Moderate severityNVD Advisory· Published Nov 30, 2021· Updated Apr 30, 2025
Hexo - Stored XSS
CVE-2021-25987
Description
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hexonpm | >= 0.0.1, < 6.0.0 | 6.0.0 |
Affected products
2Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-q54r-r9pr-w7qvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25987ghsaADVISORY
- github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200ghsax_refsource_MISCWEB
- github.com/hexojs/hexo/issues/4838ghsaWEB
- github.com/hexojs/hexo/pull/4750ghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.