Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.
Advisories for Npm/Hexo package
2023
2021
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Hexo is vulnerable to stored XSS. The post body and tags don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.