Haxcms-nodejs Security Vulnerabilities and Issues — Haxcms-nodejs CVE List

Lucene search

PsuHaxcms-nodejs

10 matches found

CVE•added 2025/06/09 9:15 p.m.•50 views

CVE-2025-49141

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the gitImportSite functionality obtains a URL string from a POST request and insufficiently validates user input. The set_remote function later passes this input into proc_open, yielding OS comm...

8.8CVSS9AI score0.00576EPSS

CVE•added 2025/06/09 9:15 p.m.•45 views

CVE-2025-49139

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited...

6.5CVSS5.1AI score0.00055EPSS

CVE•added 2025/06/09 9:15 p.m.•43 views

CVE-2025-49137

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in th...

8.5CVSS8.4AI score0.00048EPSS

CVE•added 2025/07/21 9:15 p.m.•17 views

CVE-2025-54127

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication...

9.8CVSS6.5AI score0.00073EPSS

CVE•added 2025/07/26 4:16 a.m.•10 views

CVE-2025-54378

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS d...

8.3CVSS6.1AI score0.00044EPSS

CVE•added 2025/07/11 6:15 p.m.•9 views

CVE-2025-53642

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.

6.5CVSS6.5AI score0.00036EPSS

CVE•added 2025/07/21 9:15 p.m.•9 views

CVE-2025-54128

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-...

7.2CVSS6.4AI score0.00034EPSS

CVE•added 2025/07/21 9:15 p.m.•9 views

CVE-2025-54134

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles e...

7.1CVSS6.2AI score0.00081EPSS

CVE•added 2025/07/22 10:15 p.m.•9 views

CVE-2025-54137

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change c...

7.3CVSS7AI score0.00112EPSS

CVE•added 2025/07/23 12:15 a.m.•6 views

CVE-2025-54139

HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an if...

6.1CVSS6.8AI score0.00052EPSS