5 matches found
CVE-2026-46357
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire...
PT-2025-30941 · Hax Cms +1 · Hax Cms +2
Name of the Vulnerable Software and Affected Versions: HAX CMS versions 11.0.8 and below haxcms-php HAX CMS versions 11.0.13 and below haxcms-nodejs Description: The HAX CMS API endpoints do not perform authorization checks when interacting with resources. Both the JavaScript and PHP versions of...
CVE-2025-54137
HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change...
CVE-2025-48996
CVE-2025-48996 describes an unauthenticated information disclosure in HAX open-apis used by PSU deployment of HAX CMS via the haxPsuUsage API endpoint. The vulnerability allows remote, unauthenticated users to enumerate a full list of PSU websites hosted on HAX CMS. The issue is associated with o...
PT-2025-23555 · Hax · Hax Cms +1
Name of the Vulnerable Software and Affected Versions: HAX open-apis versions up to and including 10.0.2 Description: An unauthenticated information disclosure issue exists in the HAX content management system via the haxPsuUsage API endpoint. This allows any remote unauthenticated user to retrie...