VYPR
High severityNVD Advisory· Published Jun 9, 2025· Updated Jun 10, 2025

Hax CMS Stored Cross-Site Scripting vulnerability

CVE-2025-49137

Description

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a script tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
elmsln/haxcmsPackagist
< 11.0.011.0.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.