HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like ../../../etc/passwd, the application will attempt to read and render that file. Version 11.0.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated Local File Inclusion in HAX CMS PHP (pre-11.0.0) lets low-privileged users read arbitrary server files via the saveOutline endpoint.
Vulnerability
Overview
CVE-2025-49138 describes an authenticated Local File Inclusion vulnerability in HAX CMS PHP, affecting versions prior to 11.0.0. The root cause lies in the saveOutline endpoint at /system/api/saveOutline: when a user submits a POST request, the location field is stored directly into the site's site.json file without sanitization. This unsanitized input is later used by the CMS to resolve and load content for a node, leading to path traversal attacks [1][2].
Exploitation
An attacker with a valid CMS account (lowest privilege suffices) can exploit the vulnerability by sending a crafted POST request to the saveOutline endpoint. The location parameter accepts relative paths such as ../../../etc/passwd, which are faithfully written to the site's outline. When the CMS later interprets this outline—for example, in the HAXCMSSite.php file at line 1248—it includes the attacker-specified file, rendering its contents on the server-side response [3][4].
Impact
Successful exploitation allows the attacker to read any file on the filesystem that the web server user (typically www-data) can access. This includes sensitive system files like /etc/passwd, application configuration files containing secrets or database credentials, and potentially other protected resources. The vulnerability does not require any special privileges beyond initial authentication [1][4].
Mitigation
The vulnerability was addressed in version 11.0.0. Users of HAX CMS PHP should upgrade immediately to the patched version. No workarounds have been published, and the advisory recommends applying the fix as soon as possible [1][4].
- NVD - CVE-2025-49138
- GitHub - haxtheweb/issues: Issue queue for hax, haxcms, elmsln, lrnwebcomponents, wcfactory, websites and more.
- haxcms-php/system/backend/php/lib/HAXCMSSite.php at b158d8ba1f9602af92ab084fd03b418f953079fd · haxtheweb/haxcms-php
- Local File Inclusion via saveOutline API Location Parameter
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
elmsln/haxcmsPackagist | < 11.0.0 | 11.0.0 |
Affected products
2- haxtheweb/issuesv5Range: < 11.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hxrr-x32w-cg8gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49138ghsaADVISORY
- github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.phpghsax_refsource_MISCWEB
- github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.