Haxtheweb Haxcms-Nodejs vulnerabilities
18 known vulnerabilities affecting haxtheweb/haxcms-nodejs.
Total CVEs
18
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH9MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2026-46395P2CRITICALCVSS 9.3fixed in 26.0.02026-06-05
CVE-2026-46395 [CRITICAL] CWE-200 CVE-2026-46395: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `h
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Token
ghsanvd
CVE-2025-54127P2CRITICAL≥ 0, < 11.0.72025-07-21
CVE-2025-54127 [CRITICAL] CWE-1188 NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
### Summary
The NodeJS version of HAX CMS uses an insecure default configuration designed for local
development. The default configuration does not perform authorization or authentication checks.
### Details
If a user were to deploy haxcms-nodejs without modifying th
ghsaosv
CVE-2025-49141P2HIGH≥ 0, < 11.0.32025-06-09
CVE-2025-49141 [HIGH] CWE-78 HaxCMS-PHP Command Injection Vulnerability
HaxCMS-PHP Command Injection Vulnerability
### Summary
The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
### Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on th
ghsaosv
CVE-2026-46399P3CRITICALCVSS 9.4fixed in 26.0.02026-06-05
CVE-2026-46399 [CRITICAL] CWE-15 CVE-2026-46399: HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prio
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
nvd
CVE-2026-46511P3HIGHCVSS 8.7fixed in 26.0.02026-06-05
CVE-2026-46511 [HIGH] CWE-79 CVE-2026-46511: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an att
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authenti
ghsanvd
CVE-2026-22704P4HIGHPoC≥ 11.0.6, < 25.0.02026-01-13
CVE-2026-22704 [HIGH] CWE-79 HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
### Summary
Stored XSS Leading to Account Takeover
### Details
The Exploit Chain:
1.Upload: The attacker uploads an `.html` file containing a JavaScript payload.
2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file.
3.Token Refresh: The JavaScript payload makes a `fetch` request to the `
ghsaosv
CVE-2025-54378P3HIGH≥ 0, < 11.0.142025-07-25
CVE-2025-54378 [HIGH] CWE-285 HAX CMS API Lacks Authorization Checks
HAX CMS API Lacks Authorization Checks
### Summary
The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation.
### Details
The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization befor
ghsaosv
CVE-2026-46496P3CRITICALCVSS 9.3fixed in 26.0.02026-06-05
CVE-2026-46496 [CRITICAL] CWE-79 CVE-2026-46496: HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute a
ghsanvd
CVE-2026-46396P3CRITICALCVSS 9.3fixed in 26.0.02026-06-05
CVE-2026-46396 [CRITICAL] CWE-79 CVE-2026-46396: HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute
ghsanvd
CVE-2026-48527P3HIGHCVSS 8.7fixed in 26.0.12026-05-29
CVE-2026-48527 [HIGH] CWE-79 CVE-2026-48527: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace
ghsanvd
CVE-2025-54137P3HIGH≥ 0, < 11.0.102025-07-21
CVE-2025-54137 [HIGH] CWE-1392 NodeJS version of the HAX CMS application is distributed with Default Secrets
NodeJS version of the HAX CMS application is distributed with Default Secrets
### Summary
The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to ch
ghsaosv
CVE-2026-46393P3HIGHCVSS 7.1fixed in 26.0.02026-06-05
CVE-2026-46393 [HIGH] CWE-918 CVE-2026-46393: HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Re
HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Ver
ghsanvd
CVE-2026-46397P3MEDIUMCVSS 6.5fixed in 26.0.02026-06-05
CVE-2026-46397 [MEDIUM] CWE-22 CVE-2026-46397: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Aut
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate se
nvd
CVE-2026-46357P3MEDIUMCVSS 6.5fixed in 26.0.02026-06-05
CVE-2026-46357 [MEDIUM] CWE-20 CVE-2026-46357: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HA
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to rest
ghsanvd
CVE-2025-54134P3HIGH≥ 0, < 11.0.92025-07-21
CVE-2025-54134 [HIGH] CWE-20 HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
### Summary
The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the `listFiles` and `saveFiles` endpoints.
### Details
This vulnerability exists because the application does not properly handle
ghsaosv
CVE-2025-49139P4MEDIUM≥ 0, < 11.0.02025-06-09
CVE-2025-49139 [MEDIUM] CWE-1021 @haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
### Summary
In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL.
### Affected Resources
- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/mast
ghsaosv
CVE-2025-54139P4MEDIUM≥ 0, < 11.0.132025-07-21
CVE-2025-54139 [MEDIUM] CWE-1021 HAX CMS application pages vulnerable to clickjacking
HAX CMS application pages vulnerable to clickjacking
### Summary
All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites.
### PoC
To replicate this vulnerability, load the target page in an iframe and observe the rendered content.
### Impact
An unauthenticated attacker can load the stan
ghsaosv
CVE-2025-54128P4HIGH≥ 0, < 11.0.82025-07-21
CVE-2025-54128 [HIGH] CWE-79 NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
### Summary
The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.
### Details
The `contentSecurityPolicy` value is explicitly d
ghsaosv