cbcvebase.

Psu Haxcms-Php vulnerabilities

8 known vulnerabilities affecting psu/haxcms-php.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2025-49141P2HIGHCVSS 8.8fixed in 11.0.02025-06-09
CVE-2025-49141 [HIGH] CWE-78 CVE-2025-49141: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11. HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craf
nvd
CVE-2025-32028P3CRITICALCVSS 9.9≥ 9.0.0, < 10.0.32025-04-08
CVE-2025-32028 [CRITICAL] CWE-434 CVE-2025-32028: HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload func HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’,
nvd
CVE-2025-54378P3HIGHCVSS 8.3fixed in 11.0.92025-07-26
CVE-2025-54378 [HIGH] CWE-285 CVE-2025-54378: HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.1 HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact wi
nvd
CVE-2025-49138P3MEDIUMCVSS 6.5fixed in 11.0.02025-06-09
CVE-2025-49138 [MEDIUM] CWE-22 CVE-2025-49138: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11. HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to ex
nvd
CVE-2025-49139P4MEDIUMCVSS 6.5fixed in 11.0.02025-06-09
CVE-2025-49139 [MEDIUM] CWE-1021 CVE-2025-49139: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11. HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL.
nvd
CVE-2025-53642P4MEDIUMCVSS 6.5fixed in 11.0.62025-07-11
CVE-2025-53642 [MEDIUM] CWE-613 CVE-2025-53642: haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application doe haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.
nvd
CVE-2025-54139P4MEDIUMCVSS 6.1≥ 11.0.0, < 11.0.82025-07-23
CVE-2025-54139 [MEDIUM] CWE-1021 CVE-2025-54139: HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-node HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated si
nvd
CVE-2025-49137P4MEDIUMCVSS 6.1fixed in 11.0.02025-06-09
CVE-2025-49137 [MEDIUM] CWE-79 CVE-2025-49137: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11. HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rend
nvd
Psu Haxcms-Php vulnerabilities | cvebase