hexo-admin is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject arbitrary Javascript into a victim’s browser via the post-editor. Successful exploitation can result in the theft of session cookies or execution of unauthorized actions on behalf of the user.