CVE-2021-30637

CVE-2021-30637 affects htmly 2.8.0, allowing stored XSS via the blog title, Tagline, or Description submitted to config.html.php. The root cause is unescaped user input stored and later reflected, enabling script execution in affected pages. Public writeups and exploits exist (e.g., PacketStorm/E...

CVE-2020-23766

CVE-2020-23766 affects htmly v2.7.5. A path/traversal-like vulnerability lets a remote attacker with Administrator privileges delete arbitrary files on the server by supplying an absolute path. The impact is deletion with potential partial integrity and availability effects, per provided referenc...

CVE-2022-25022

CVE-2022-25022 is a cross-site scripting (XSS) vulnerability in Htmly v2.8.1 where an attacker can inject arbitrary HTML/script via the blog post content field. Multiple connected records (including Red Hat, CNVD, OSV, and CNVD-style entries) corroborate this issue with consistent description: vu...

CVE-2024-34191

HTMly version 2.9.6 is affected by CVE-2024-34191, a vulnerability in delete_post() (admin.php) that enables arbitrary file deletion via a crafted request. The issue is documented across multiple sources (NVD/Red Hat OSV, etc.), with a CVSS v3.1 base score of 6.5 (I: High, A: None) and an attack ...

CVE-2022-1087

CVE-2022-1087 affects htmly 5.3, specifically the Edit Profile Module. The vulnerability enables persistent cross-site scripting by manipulating the Title field with script tags. Exploitation is remote and requires authentication; a POC has been publicly disclosed. Multiple connected sources corr...

CVE-2021-42946

CVE-2021-42946 describes a Cross Site Scripting (XSS) vulnerability in HTMLy 2.8.1 that can be triggered through the “copyright” field on the /admin/config page. The connected sources confirm the affected product and location of the vulnerability, but do not provide explicit details on root cause...

CVE-2021-33354

The CVE-2021-33354 issue affects htmly prior to 2.8.1 and is a Directory Traversal vulnerability that allows remote attackers to delete arbitrary files via a modified file parameter. The root cause is improper validation of the file parameter, enabling access to files outside the intended directo...

CVE-2021-42867

CVE-2021-42867 pertains to HTMLy 2.8.1 (also referenced as DanPros htmly 2.8.1) and describes a cross-site scripting (XSS) vulnerability that originates in the Description field used by the admin/config and index.php pages. The root cause is that unsanitized or unsafe content in the Description f...

CVE-2021-36702

CVE-2021-36702 affects htmly 2.8.1. The vulnerability is a stored XSS in the content field of the ”regular post” → “add content” page in the dashboard. It allows an attacker who can issue authenticated POST requests to add/content to inject arbitrary HTML/ scripts, enabling cross-site script exec...

CVE-2021-40285

htmly v2.8.1 contains an arbitrary file deletion vulnerability in the component \views\backup.html.php. Affected software: htmly 2.8.1. Root cause: arbitrary file deletion via the backup page component. Impact per CVSS: I and A HIGH, with availability impact also HIGH (per NVD metrics). Exploitat...

CVE-2021-36703

CVE-2021-36703 concerns Htmly 2.8.1. The vulnerability is a storage XSS in the blog title field on the Settings/config page of the dashboard, allowing an authenticated attacker to submit a crafted website name via an HTTP POST to admin/config and inject arbitrary script/HTML. Multiple connected s...

CVE-2024-30953

CVE-2024-30953 is a stored XSS in Htmly v2.9.5, exploitable via a crafted payload injected into the Link Name parameter of the Menu Editor. Affected component: Menu Editor in Htmly 2.9.5; root cause is insufficient sanitization of the Link Name input, enabling arbitrary script execution in the vi...

CVE-2021-36701

CVE-2021-36701 affects htmly version 2.8.1. The issue enables arbitrary file deletion on the local host when deleting backup files, potentially allowing a remote attacker to delete arbitrary known files on the host. The available descriptions consistently state the vulnerable component and the im...

CVE-2019-8349

Multiple XSS vulnerabilities in HTMLy 2.7.4 allow remote attackers to inject arbitrary scripts via (1) destination parameter to delete and (2) destination parameter to edit, and via the content parameter in the profile feature. Affected product: HTMLy 2.7.4. Root cause: input handling in the dele...

CVE-2025-56154

htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint. The name parameter is not properly sanitized before reflecting in the HTML response, enabling injection of arbitrary JavaScript. The CVE description confirms the affected software and the vulnerability locatio...

CVE-2025-10758

CVE-2025-10758 affects htmly up to 3.1.0, specifically the Custom Field Handler’s file /htmly/admin/field/post. A vulnerability arises from manipulation of the label argument in an unknown function, enabling cross-site scripting (XSS). The issue can be triggered remotely and exploit details have ...