GHSA-G2G8-95QG-V35H HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint

Summary HaxCMS is affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. For example...

HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint

Summary HaxCMS is affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. For example...

@haxtheweb/create (>=0.1.3 <=25.0.2), @haxtheweb/open-apis (>=11.0.2 <=25.0.0) +1 more potentially affected by CVE-2026-46357 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=25.0.0)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =1.0.0, =1.0.7 Source cves: CVE-2026-46357 Source advisory: OSV:GHSA-9R33-XHW8-4QQP...

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser...

GHSA-6C8G-9HFH-PQ5H HAXcms: Private Key Disclosure via Broken HMAC Implementation

Summary The hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens JWTs allowing them to get full admin...

HAXcms createSite SSRF Enables Arbitrary File Read

Summary An authenticated Server-Side Request Forgery SSRF vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Details The createSite endpoint in HAXcms...

GHSA-Q862-GCGQ-5M6G HAXcms createSite SSRF Enables Arbitrary File Read

Summary An authenticated Server-Side Request Forgery SSRF vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Details The createSite endpoint in HAXcms...

PT-2026-41975

Summary An authenticated Server-Side Request Forgery SSRF vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Details The createSite endpoint in HAXcms...

GHSA-3FM2-XFQ7-7778 HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover

Summary Stored XSS Leading to Account Takeover Details The Exploit Chain: 1.Upload: The attacker uploads an .html file containing a JavaScript payload. 2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file. 3.Token Refresh: The JavaScript payload makes a...

EUVD-2025-21181

Malicious code in bioql PyPI...

EUVD-2025-22261

Malicious code in bioql PyPI...

Improper Authorization

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Improper Authorization in the API endpoints, which do not verify user permissions before performing operations. An attacker can gain unauthorized access to resources or perform actions...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54378 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54378 Source advisory: OSV:GHSA-9JR9-8FF3-M894...

Cross-Site Scripting (XSS)

@haxtheweb/haxcms-nodejs is vulnerable to cross-site scripting. The vulnerability is due to the explicit disabling of the Content Security Policy CSP in the Helmet configuration in app.js, which allows an attacker to inject and execute malicious scripts in the context of the application...

CVE-2025-54127

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...

Clickjacking

@haxtheweb/haxcms-nodejs and elmsln/haxcms are vulnerable to Clickjacking. The vulnerability is due to missing anti-framing headers caused by the absence of X-Frame-Options or equivalent headers in both the CMS and generated sites, allowing unauthenticated attackers to embed sensitive pages in...

NodeJS 安全漏洞

NodeJS is a JavaScript runtime environment based on the ChromeV8 engine from the OpenJS Foundation. By encapsulating the Chromev8 engine and using event-driven and non-blocking IO applications make it possible to develop high-performance backend applications in Javascript. A security vulnerabilit...

HAXcms with nodejs backend 安全漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A security vulnerability exists in HAXcms with nodejs backend version 11.0.9 and earlier, which stems from hardcoding default credentials and JWT private keys, which could lead to unauthorized access...

CVE-2025-54127

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54139 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54139 Source advisory: OSV:GHSA-54VW-F4XF-F92J...