VYPR
Medium severity5.8NVD Advisory· Published Oct 29, 2025· Updated Apr 15, 2026

CVE-2025-60898

CVE-2025-60898

Description

An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Halo Dev/Haloinferred2 versions
    = 2.21+ 1 more
    • (no CPE)range: = 2.21
    • (no CPE)range: = 2.21

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.