fkie_cve-2025-53941
Vulnerability from fkie_nvd
Published
2025-07-17 14:15
Modified
2025-07-17 21:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
References
security-advisories@github.comhttps://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410
security-advisories@github.comhttps://github.com/fedify-dev/hollo/releases/tag/0.6.5
security-advisories@github.comhttps://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Hollo es un software de microblogging federado para un solo usuario, dise\u00f1ado para federarse a trav\u00e9s de ActivityPub. Las versiones anteriores a la 0.6.5 permiten el env\u00edo de elementos de formulario HTML, lo que hace que el software sea vulnerable a la inyecci\u00f3n de HTML. La versi\u00f3n 0.6.5 soluciona el problema."
    }
  ],
  "id": "CVE-2025-53941",
  "lastModified": "2025-07-17T21:15:50.197",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-17T14:15:32.737",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.