CVE-2025-54137 NodeJS version of the HAX CMS application is distributed with Default Secrets

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change...

CVE-2025-54137 NodeJS version of the HAX CMS application is distributed with Default Secrets

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change...

CVE-2025-54137 NodeJS version of the HAX CMS application is distributed with Default Secrets

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change...

CLSA-2025-1753208069 nodejs: Fix of CVE-2025-23166

CVE-2025-23166: src: fix error handling on async crypto operations...

SUSE CVE-2025-27209

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even witho...

CVE-2025-54134

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles...

CVE-2025-54128

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy CSP. This configuration is insecure for a production application because it does not protect against...

CVE-2025-54127

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54139 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54139 Source advisory: OSV:GHSA-54VW-F4XF-F92J...

CVE-2025-54134 HAX CMS NodeJs's Improper Error Handling Leads to Denial of Service

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles...

CVE-2025-54134 HAX CMS NodeJs's Improper Error Handling Leads to Denial of Service

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles...

CVE-2025-54134

CVE-2025-54134 affects HAX CMS NodeJs. In versions 11.0.8 and earlier, the NodeJS backend crashes when an authenticated attacker sends API requests to the affected endpoints (listFiles and saveFiles) without required URL parameters. The issue arises from improper exception handling after changes ...

CVE-2025-54134 HAX CMS NodeJs's Improper Error Handling Leads to Denial of Service

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles...

CVE-2025-54128 HAX CMS NodeJs's Disabled Content Security Policy Enables Cross-Site Scripting

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy CSP. This configuration is insecure for a production application because it does not protect against...

CVE-2025-54128 HAX CMS NodeJs's Disabled Content Security Policy Enables Cross-Site Scripting

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy CSP. This configuration is insecure for a production application because it does not protect against...

CVE-2025-54128

CVE-2025-54128 affects the NodeJS version of HAX CMS. In versions ≤11.0.7, CSP is disabled in the Helmet config (app.js), creating vulnerability to cross-site scripting. The issue is fixed in version 11.0.8. Affected project: HAX CMS NodeJS; root cause: explicit CSP disablement. Impact statements...

CVE-2025-54128 HAX CMS NodeJs's Disabled Content Security Policy Enables Cross-Site Scripting

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy CSP. This configuration is insecure for a production application because it does not protect against...

CVE-2025-54127 HAXcms's Insecure Default Configuration Leads to Unauthenticated Access

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...

CVE-2025-54127 HAXcms's Insecure Default Configuration Leads to Unauthenticated Access

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...

CVE-2025-54127 HAXcms's Insecure Default Configuration Leads to Unauthenticated Access

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...