Hollo renders posts received with form elements and allows submission

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.

Basic Information

ID CVE-2025-53941

Source GitHub_M

Published Jul 17, 2025 at 14:01

Modified Jul 17, 2025 at 14:21

Affected Product

Vendor fedify-dev

Product hollo

Version < 0.6.5

Affected Versions fedify-dev hollo < 0.6.5

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.",
    "published": "2025-07-17T14:01:34.436Z",
    "modified": "2025-07-17T14:21:36.942Z",
    "type": "cve",
    "title": "Hollo renders posts received with form elements and allows submission",
    "source": "GitHub_M",
    "references": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h\nhttps://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410\nhttps://github.com/fedify-dev/hollo/releases/tag/0.6.5",
    "id": "CVE-2025-53941",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "fedify-dev hollo < 0.6.5",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hollo",
    "version": "< 0.6.5",
    "vendor": "fedify-dev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Hollo renders posts received with form elements and allows submission_CVE-2025-53941