CVE-2025-49137

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-49137
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49137.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49137
Aliases
Related
Published
2025-06-09T21:15:46Z
Modified
2025-06-20T16:42:18.795116Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a script tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.

References

Affected packages

Git / github.com/haxtheweb/haxcms-php

Affected ranges

Type
GIT
Repo
https://github.com/haxtheweb/haxcms-php
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.0.1
0.1.0
0.11.0
0.12.0
0.12.1
0.12.2
0.12.3
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.10
1.2.11
1.2.12
1.2.13
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.0
1.3.1
1.4.0

10.*

10.0.0
10.0.3

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

3.*

3.0.0

4.*

4.0.0
4.1.0

5.*

5.1.0

6.*

6.0.1

7.*

7.0.1
7.0.10
7.0.13
7.0.14
7.0.15
7.0.16
7.0.2
7.0.3

8.*

8.0.0

9.*

9.0.21

v10.*

v10.0.3

v9.*

v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.5
v9.0.6