CVE-2025-49137

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49137
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49137.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49137
Aliases
Published
2025-06-09T21:00:15.808Z
Modified
2026-04-02T12:57:42.214161Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Hax CMS Stored Cross-Site Scripting vulnerability
Details

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a script tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49137.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79",
        "CWE-80",
        "CWE-87"
    ]
}
References

Affected packages

Git / github.com/haxtheweb/haxcms-nodejs

Affected ranges

Type
GIT
Repo
https://github.com/haxtheweb/haxcms-nodejs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
20efb09f99720e255d3ec0d134213d029b0db216
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
20efb09f99720e255d3ec0d134213d029b0db216
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "11.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "11.0.0"
        }
    ]
}

Affected versions

10.*
10.0.0
v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v10.*
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v9.*
v9.0.0
v9.0.0-alpha.0
v9.0.0-alpha.1
v9.0.1
v9.0.10
v9.0.11
v9.0.12
v9.0.13
v9.0.14
v9.0.15
v9.0.16
v9.0.17
v9.0.18
v9.0.19
v9.0.2
v9.0.20
v9.0.21
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49137.json"

Git / github.com/haxtheweb/haxcms-php

Affected ranges

Type
GIT
Repo
https://github.com/haxtheweb/haxcms-php
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
557c8ca02fe349c8e590d83e7310b34832ff3e38

Affected versions

0.*
0.0.1
0.1.0
0.11.0
0.12.0
0.12.1
0.12.2
0.12.3
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.10
1.2.11
1.2.12
1.2.13
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.0
1.3.1
1.4.0
10.*
10.0.0
10.0.3
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
3.*
3.0.0
4.*
4.0.0
4.1.0
5.*
5.1.0
6.*
6.0.1
7.*
7.0.1
7.0.10
7.0.13
7.0.14
7.0.15
7.0.16
7.0.2
7.0.3
8.*
8.0.0
9.*
9.0.21
v10.*
v10.0.3
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.5
v9.0.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49137.json"