CVE-2025-60898

Published: Oct 29, 2025

Modified: Oct 29, 2025

PUBLISHED

Description

An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://halo.com

https://github.com/abdulr7mann/CVEs/blob/main/CVE-2025-60898/CVE-2025-60898.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-60898

Description

Affected Products

References