Lucene search
K
PsuHaxcms-php

8 matches found

CVE
CVE
added 2025/06/09 9:11 p.m.139 views

CVE-2025-49141

The CVE-2025-49141 entry concerns HAX CMS PHP (pre-11.0.3) with an OS command injection in the gitImportSite flow. The issue arises when gitImportSite retrieves a URL from a POST request and performs insufficient input validation; later, set_remote passes the input to proc_open, enabling an attac...

8.8CVSS9AI score0.01496EPSS
CVE
CVE
added 2025/06/09 9:5 p.m.69 views

CVE-2025-49138

HAX CMS PHP before v11.0.0 is vulnerable to an authenticated Local File Inclusion via the saveOutline API. The backend stores the provided location value directly into site.json without validation, allowing an attacker to craft a relative path (for example ../../../etc/passwd) to read arbitrary f...

6.5CVSS6.4AI score0.00449EPSS
Web
CVE
CVE
added 2025/04/08 4:6 p.m.67 views

CVE-2025-32028

CVE-2025-32028 affects HAX CMS PHP. The issue lies in the save() function in HAXCMSFile.php, which blocks only a non-exhaustive list of file types (.php, .sh, .js, .css); the logic is described as fail-open, enabling insecure file uploads. This can lead to remote code execution as described acros...

9.9CVSS7.1AI score0.01725EPSS
CVE
CVE
added 2025/06/09 9:8 p.m.63 views

CVE-2025-49139

CVE-2025-49139 pertains to HAX CMS (NodeJS/PHP) prior to version 11.0.0. The issue arises from a website block in the HAX site editor that lets an authenticated user specify a target URL to load in an iframe. When a user visits the attacker-controlled HAX site, the client’s browser requests the s...

6.5CVSS5.1AI score0.00324EPSS
CVE
CVE
added 2025/06/09 9:0 p.m.60 views

CVE-2025-49137

HAX CMS PHP prior to 11.0.0 is vulnerable to stored XSS via the saveNode and saveManifest endpoints, where unsanitized user input is stored in the site JSON schema and rendered in the generated microsite. The issue allows execution of arbitrary JavaScript through HTML tags (notably without using ...

8.5CVSS8.4AI score0.00231EPSS
CVE
CVE
added 2025/07/26 3:27 a.m.36 views

CVE-2025-54378

CVE-2025-54378 affects HAX CMS backends (nodejs and PHP). The issue is that API endpoints do not verify authorization for resource interactions, only checking authentication, allowing an authenticated user to perform privileged operations. Affected versions: haxcms-nodejs ≤ 11.0.13 and haxcms-php...

8.3CVSS6.1AI score0.0047EPSS
CVE
CVE
added 2025/07/22 11:24 p.m.33 views

CVE-2025-54139

CVE-2025-54139 affects HAX CMS NodeJS and PHP backends. Versions haxcms-nodejs ≤ 11.0.12 and haxcms-php ≤ 11.0.7 expose pages without anti-iframe headers, enabling unauthenticated attackers to load sensitive pages (including login) in an iframe and perform a UI redress (clickjacking). Impact is U...

6.1CVSS6.8AI score0.003EPSS
CVE
CVE
added 2025/07/11 5:33 p.m.27 views

CVE-2025-53642

The CVE concerns haxcms-nodejs and haxcms-php backends for HAXcms. The logout flow does not terminate the user session or clear cookies, and a refresh token is issued on logout, enabling potential continued access. Affected versions are haxcms-nodejs and haxcms-php prior to 11.0.6. The issue is m...

6.5CVSS6.5AI score0.00166EPSS