CVE-2021-25987

MEDIUM

hexo 0.0.1-5.4.0 - Stored Cross-Site Scripting in Post Body and Tags

Title source: llm
STIX 2.1

Description

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

References (2)

Core 2

Scores

CVSS v3 5.0
EPSS 0.0033
EPSS Percentile 24.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
hexo/hexo 0.0.1 - 5.4.0
npm/hexo 0.0.1 - 6.0.0npm
Published Nov 30, 2021
Tracked Since Feb 18, 2026