13 matches found
CVE-2026-46397
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...
CVE-2026-46397
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...
EUVD-2026-34902
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...
CVE-2026-46397
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...
CVE-2026-46397 haxcms-php Local File Inclusion via saveOutline API Location Parameter v2.0
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...
CVE-2026-46397
CVE-2026-46397 details a vulnerability in HAX CMS (PHP/Node.js backends) where an authenticated user can trigger a Local File Inclusion (LFI) via the saveOutline API, by manipulating the location field written into site.json. The issue allows reading arbitrary server files accessible to the web s...
PT-2026-47038
Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description An authenticated local file inclusion allows a low-privileged user to read arbitrary files on the server. By manipulating the location field written into site.json via the 'saveOutline' endpoint,...
HAX 安全漏洞
HAX is an open-source microsite managed using HAX+CMS with a PHP backend. There were security vulnerabilities in HAX CMS PHP versions prior to 26.0.0. These vulnerabilities stemmed from an authentication-based local file inclusion vulnerability in the saveOutline endpoint, which could allow...
CVE-2025-49138 HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field...
CVE-2025-49138 HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field...
External Control of File Name or Path
Overview elmsln/haxcms is a Headless CMS for managing and publishing hybrid static, web component driven sites. Affected versions of this package are vulnerable to External Control of File Name or Path via the location parameter in the saveOutline API endpoint. An attacker can read arbitrary file...
GHSA-HXRR-X32W-CG8G HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
Summary An authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as...
HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
Summary An authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as...