VulnerableCode Package Details - pkg:npm/hexo@6.0.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/hexo@6.0.0

Essentials
History (3)

purl	pkg:npm/hexo@6.0.0

Next non-vulnerable version	7.2.0
Latest non-vulnerable version	7.2.0
Risk	4.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-ckh6-gapd-qfeg Aliases: CVE-2023-39584 GHSA-x2jc-989c-47q4	Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.	7.2.0 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-yfsp-ucq1-d3b8	Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.	CVE-2021-25987 GHSA-q54r-r9pr-w7qv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:04:45.494886+00:00	GitLab Importer	Affected by	VCID-ckh6-gapd-qfeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hexo/CVE-2023-39584.yml	38.6.0
2026-06-12T08:03:44.673033+00:00	GithubOSV Importer	Fixing	VCID-yfsp-ucq1-d3b8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-q54r-r9pr-w7qv/GHSA-q54r-r9pr-w7qv.json	38.6.0
2026-06-11T20:27:13.133002+00:00	GHSA Importer	Fixing	VCID-yfsp-ucq1-d3b8	https://github.com/advisories/GHSA-q54r-r9pr-w7qv	38.6.0