Search criteria
2 vulnerabilities found for hollo by fedify-dev
CVE-2025-53941 (GCVE-0-2025-53941)
Vulnerability from cvelistv5 – Published: 2025-07-17 14:01 – Updated: 2025-07-17 14:21
VLAI?
Title
Hollo renders posts received with form elements and allows submission
Summary
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| fedify-dev | hollo |
Affected:
< 0.6.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53941",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:19:28.629628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:21:36.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hollo",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:01:34.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
},
{
"name": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5"
}
],
"source": {
"advisory": "GHSA-w7gc-g3x7-hq8h",
"discovery": "UNKNOWN"
},
"title": "Hollo renders posts received with form elements and allows submission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53941",
"datePublished": "2025-07-17T14:01:34.436Z",
"dateReserved": "2025-07-14T17:23:35.262Z",
"dateUpdated": "2025-07-17T14:21:36.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53941 (GCVE-0-2025-53941)
Vulnerability from nvd – Published: 2025-07-17 14:01 – Updated: 2025-07-17 14:21
VLAI?
Title
Hollo renders posts received with form elements and allows submission
Summary
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| fedify-dev | hollo |
Affected:
< 0.6.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53941",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:19:28.629628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:21:36.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hollo",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:01:34.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h"
},
{
"name": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.5"
}
],
"source": {
"advisory": "GHSA-w7gc-g3x7-hq8h",
"discovery": "UNKNOWN"
},
"title": "Hollo renders posts received with form elements and allows submission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53941",
"datePublished": "2025-07-17T14:01:34.436Z",
"dateReserved": "2025-07-14T17:23:35.262Z",
"dateUpdated": "2025-07-17T14:21:36.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}