Haxtheweb Issues vulnerabilities
15 known vulnerabilities affecting haxtheweb/issues.
Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM10
Vulnerabilities
Page 1 of 1
CVE-2025-54127P2CRITICALCVSS 9.8fixed in 11.0.72025-07-21
CVE-2025-54127 [CRITICAL] CWE-1188 CVE-2025-54127: HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In ve
HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs w
nvd
CVE-2025-49141P2HIGHCVSS 8.8fixed in 11.0.32025-06-09
CVE-2025-49141 [HIGH] CWE-78 CVE-2025-49141: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craf
nvd
CVE-2025-32028P3CRITICALCVSS 9.9v>= 9.0.0, < 10.0.32025-04-08
CVE-2025-32028 [CRITICAL] CWE-434 CVE-2025-32028: HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload func
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’,
nvd
CVE-2025-54378P3HIGHCVSS 8.3fixed in 11.0.142025-07-26
CVE-2025-54378 [HIGH] CWE-285 CVE-2025-54378: HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.1
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact wi
nvd
CVE-2025-54137P3HIGHCVSS 7.3fixed in 11.0.102025-07-22
CVE-2025-54137 [HIGH] CWE-1392 CVE-2025-54137: HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.
HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there
nvd
CVE-2025-49138P3MEDIUMCVSS 6.5fixed in 11.0.02025-06-09
CVE-2025-49138 [MEDIUM] CWE-22 CVE-2025-49138: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to ex
nvd
CVE-2025-54134P3MEDIUMCVSS 6.5fixed in 11.0.92025-07-21
CVE-2025-54134 [MEDIUM] CWE-20 CVE-2025-54134: HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the appli
nvd
CVE-2026-46401P3MEDIUMCVSS 5.3fixed in 26.0.02026-06-05
CVE-2026-46401 [MEDIUM] CWE-613 CVE-2026-46401: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended sess
nvd
CVE-2025-49139P4MEDIUMCVSS 6.5fixed in 11.0.02025-06-09
CVE-2025-49139 [MEDIUM] CWE-1021 CVE-2025-49139: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL.
nvd
CVE-2025-53642P4MEDIUMCVSS 6.5fixed in 11.0.62025-07-11
CVE-2025-53642 [MEDIUM] CWE-613 CVE-2025-53642: haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application doe
haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.
nvd
CVE-2025-54139P4MEDIUMCVSS 6.1fixed in 11.0.13fixed in 11.0.82025-07-23
CVE-2025-54139 [MEDIUM] CWE-1021 CVE-2025-54139: HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-node
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated si
nvd
CVE-2025-48996P4MEDIUMCVSS 5.3≤ 10.0.22025-06-02
CVE-2025-48996 [MEDIUM] CWE-201 CVE-2025-48996: HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure c
HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the `haxPsuUsage` API endpoint, related to a flat present in open-apis versions up to and including 1
nvd
CVE-2025-49137P4MEDIUMCVSS 6.1fixed in 11.0.02025-06-09
CVE-2025-49137 [MEDIUM] CWE-79 CVE-2025-49137: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rend
nvd
CVE-2025-54128P4MEDIUMCVSS 6.1fixed in 11.0.82025-07-21
CVE-2025-54128 [MEDIUM] CWE-79 CVE-2025-54128: HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is
nvd
CVE-2025-54129P4MEDIUMCVSS 4.3fixed in 11.0.52025-07-21
CVE-2025-54129 [MEDIUM] CWE-204 CVE-2025-54129: HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management
HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management platform. In versions 11.0.4 and below, the application returns a 200 response when requesting the data of a valid user and a 404 response when requesting the data of an invalid user. This can be used to infer the existence of valid user accounts. An
nvd