CVE-2025-49141

The CVE-2025-49141 entry concerns HAX CMS PHP (pre-11.0.3) with an OS command injection in the gitImportSite flow. The issue arises when gitImportSite retrieves a URL from a POST request and performs insufficient input validation; later, set_remote passes the input to proc_open, enabling an attac...

CVE-2025-49139

CVE-2025-49139 pertains to HAX CMS (NodeJS/PHP) prior to version 11.0.0. The issue arises from a website block in the HAX site editor that lets an authenticated user specify a target URL to load in an iframe. When a user visits the attacker-controlled HAX site, the client’s browser requests the s...

CVE-2025-49137

HAX CMS PHP prior to 11.0.0 is vulnerable to stored XSS via the saveNode and saveManifest endpoints, where unsanitized user input is stored in the site JSON schema and rendered in the generated microsite. The issue allows execution of arbitrary JavaScript through HTML tags (notably without using ...

CVE-2025-54137

The CVE-2025-54137 entry pertains to HAX CMS NodeJS. Affected versions are 11.0.9 and earlier, which were shipped with hardcoded default credentials for user and superuser accounts and default JWT private keys. Installation does not prompt for credential/secret changes, and there is no UI path to...

CVE-2025-54378

CVE-2025-54378 affects HAX CMS backends (nodejs and PHP). The issue is that API endpoints do not verify authorization for resource interactions, only checking authentication, allowing an authenticated user to perform privileged operations. Affected versions: haxcms-nodejs ≤ 11.0.13 and haxcms-php...

CVE-2025-54127

Summary: CVE-2025-54127 affects the HAXcms-nodejs backend. In versions 11.0.6 and earlier, the default NodeJS configuration is insecure for local development and does not perform Authorization/Authentication checks. If deployed without changing defaults, HAXCMS_DISABLE_JWT_CHECKS can be set to tr...

CVE-2025-54134

CVE-2025-54134 affects HAX CMS NodeJs. In versions 11.0.8 and earlier, the NodeJS backend crashes when an authenticated attacker sends API requests to the affected endpoints (listFiles and saveFiles) without required URL parameters. The issue arises from improper exception handling after changes ...

CVE-2025-54139

CVE-2025-54139 affects HAX CMS NodeJS and PHP backends. Versions haxcms-nodejs ≤ 11.0.12 and haxcms-php ≤ 11.0.7 expose pages without anti-iframe headers, enabling unauthenticated attackers to load sensitive pages (including login) in an iframe and perform a UI redress (clickjacking). Impact is U...

CVE-2025-54128

CVE-2025-54128 affects the NodeJS version of HAX CMS. In versions ≤11.0.7, CSP is disabled in the Helmet config (app.js), creating vulnerability to cross-site scripting. The issue is fixed in version 11.0.8. Affected project: HAX CMS NodeJS; root cause: explicit CSP disablement. Impact statements...

CVE-2025-53642

The CVE concerns haxcms-nodejs and haxcms-php backends for HAXcms. The logout flow does not terminate the user session or clear cookies, and a refresh token is issued on logout, enabling potential continued access. Affected versions are haxcms-nodejs and haxcms-php prior to 11.0.6. The issue is m...

CVE-2026-22704

HAX CMS (HAX) has a stored XSS vulnerability affecting versions 11.0.6 up to, but not including, 25.0.0. The issue can lead to account takeover by injecting malicious HTML/JavaScript via uploaded content, with the Red Hat/ENISAOSV/NVD entries and Snyk advisory corroborating the stored XSS path an...