@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54137 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54137 Source advisory: OSV:GHSA-5FPV-5QVH-7CF3...

@haxtheweb/create (>=0.1.3 <=25.0.0), @haxtheweb/open-apis (>=11.0.2 <=11.0.3) potentially affected by CVE-2025-54134 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=11.0.15)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =11.0.3 Source cves: CVE-2025-54134 Source advisory: OSV:GHSA-PJJ3-J5J6-QJ27...

GHSA-PJJ3-J5J6-QJ27 HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service

Summary The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. Details This vulnerability exists because the application does not properly handle exceptions...

HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service

Summary The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. Details This vulnerability exists because the application does not properly handle exceptions...

NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting

Summary The NodeJS version of HAX CMS has a disabled Content Security Policy CSP. This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. Details The contentSecurityPolicy value is explicitly disabled in the application's Helme...

GHSA-59G8-H59F-8HJP NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting

Summary The NodeJS version of HAX CMS has a disabled Content Security Policy CSP. This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. Details The contentSecurityPolicy value is explicitly disabled in the application's Helme...

GHSA-F38F-JVQJ-MFG6 NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access

Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. Details If a user were to deploy haxcms-nodejs without modifying the default settings,...

NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access

Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. Details If a user were to deploy haxcms-nodejs without modifying the default settings,...

PT-2025-30348 · Unknown · Haxcms-Nodejs

Name of the Vulnerable Software and Affected Versions: HAX CMS NodeJs versions 11.0.8 and below Description: HAX CMS NodeJs, a system for managing microsite universes with a NodeJs backend, is susceptible to a crash issue. An authenticated attacker can trigger this issue by sending API requests t...

PT-2025-30359 · Unknown · Haxcms-Nodejs

Name of the Vulnerable Software and Affected Versions: HAX CMS NodeJS versions 11.0.9 and below Description: HAX CMS NodeJS is distributed with hardcoded default credentials for user and superuser accounts and default private keys for JWTs. Users are not prompted to change these credentials or...

HAXcms with nodejs backend 安全漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A security vulnerability exists in HAXcms with nodejs backend version 11.0.6 and earlier, which stems from disabling JWT checking in the default configuration, which could lead to authentication bypass...

PT-2025-30345 · Unknown · Haxcms-Nodejs

Name of the Vulnerable Software and Affected Versions: HAX CMS NodeJs versions 11.0.7 and below Description: HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. The NodeJS version of HAX CMS has a disabled Content Security Policy CSP in versions 11.0.7 and below...

CLSA-2025-1752922753 nodejs: Fix of CVE-2024-27983

CVE-2024-27983: ensure to close stream when destroying session to prevent memory leak...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 (CVE-2025-23166)

The version of nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-23166 advisory. - The C++ method SignTraits::DeriveBits May incorrectly call ThrowException based on user-supplied...

NodeJS 24.x - Path Traversal

Exploit Title : NodeJS 24.x - Path Traversal Exploit Author : Abdualhadi khalifa CVE : CVE-2025-27210 import argparse import requests import urllib.parse import json import sys def exploitpathtraversalprecisetargeturl: str, targetfile: str, method: str - dict: traversesequence = "..\" 6...

AZL-65583 CVE-2025-7656 affecting package nodejs18 for versions less than 18.20.3-8

Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

CVE-2025-53642 haxcms-nodejs and haxcms-php Improperly Terminate Sessions

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6...

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

...

Azure Linux 3.0 Security Update: nodejs / nodejs18 (CVE-2025-47279)

The version of nodejs / nodejs18 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-47279 advisory. - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applicatio...

HAXcms with nodejs backend 代码问题漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A code issue vulnerability exists in HAXcms with nodejs backend that stems from improper session termination, which could lead to unauthorized access...