Local File Inclusion (LFI)
elmsln/haxcms is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper input validation in the saveOutline endpoint, allowing low-privileged authenticated users to manipulate the location field in site.json and access arbitrary files on the server...