← back
CVE-2025-53941

Hollo renders posts received with form elements and allows submission

CVSS 6.1 MEDIUMEPSS 0.2%CWE-79
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
fedify-dev · hollo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/fedify-dev/hollo/commit/f9d25e10ba5406c27f9e87dfb01f75b6a52f2410https://github.com/fedify-dev/hollo/releases/tag/0.6.5https://github.com/fedify-dev/hollo/security/advisories/GHSA-w7gc-g3x7-hq8h