Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.
Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.
Hexo is vulnerable to stored XSS. The post body and tags don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.