CVE-2025-49138

🗓️ 09 Jun 2025 21:05:23Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 59 Views🌐 WEB

HAX CMS PHP has a Local File Inclusion vulnerability allowing file access by low-privileged users.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2025-49138	9 Jun 202515:01	–	circl
CNNVD	HAX 安全漏洞	9 Jun 202500:00	–	cnnvd
Cvelist	CVE-2025-49138 HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter	9 Jun 202521:05	–	cvelist
EUVD	EUVD-2025-17561	3 Oct 202520:07	–	euvd
Github Security Blog	HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter	9 Jun 202517:47	–	github
NVD	CVE-2025-49138	9 Jun 202521:15	–	nvd
OSV	CVE-2025-49138 HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter	9 Jun 202521:05	–	osv
OSV	GHSA-HXRR-X32W-CG8G HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter	9 Jun 202517:47	–	osv
Positive Technologies	PT-2025-24563 · Hax Cms · Hax Cms	9 Jun 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-49138	11 Jun 202521:08	–	redhatcve

NVD

Vulners

Node

psu haxcms-phpRange<11.0.0

[
  {
    "vendor": "haxtheweb",
    "product": "issues",
    "versions": [
      {
        "version": "< 11.0.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g
github	www.github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php

Parameter	Position	Path	Description	CWE
location	request body	/system/api/saveOutline	Authenticated LFI vulnerability: user-supplied location value is stored in site.json and later interpreted to load files, allowing reading of arbitrary server files (e.g., /etc/passwd) via the location field.	CWE-22, CWE-73

30 Jul 2025 17:35Current

6.4Medium risk

Vulners AI Score6.4

CVSS 3.16.5

EPSS0.00387

SSVC