CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

HAX 日志信息泄露漏洞

HAX is an open-source microsite managed using HAX+CMS with a PHP backend. Versions prior to HAX25.0.0 contained a vulnerability related to log information leakage. This vulnerability stemmed from the /server-status endpoint being publicly accessible, which could allow unverified users to access...

PT-2026-30720

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens user token, user activity, client IP addresses, and server configuration details. This allows...

EUVD-2025-201533

The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /serverstatus REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the serv...

CVE-2025-12721

The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /serverstatus REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the serv...

CVE-2025-12721

The CVE-2025-12721 entry concerns the WordPress plugin g-FFL Cockpit (versions up to 1.7.1). Public docs indicate a Missing Authorization to Unauthenticated Information Exposure via the /server_status REST endpoint, allowing unauthenticated attackers to extract server information. Connected sourc...

PT-2025-49337

The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the...

pixiv: Internal logs/info leaked via endpoint {https://203.137.128.240/server-status}

The server-status endpoint was accessible, allowing access to internal logs and information...