HAX CMS' application pages are vulnerable to clickjacking
Description
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS (NodeJS ≤11.0.12, PHP ≤11.0.7) lacks frame-ancestors headers, enabling clickjacking attacks via iframe loading of sensitive pages.
Vulnerability
HAX CMS, a platform for managing microsites with NodeJS or PHP backends, fails to set the X-Frame-Options header or Content-Security-Policy: frame-ancestors directive on any of its pages. This affects both the CMS interface and sites generated by the CMS in haxcms-nodejs versions 11.0.12 and below, and haxcms-php versions 11.0.7 and below [1][4]. The absence of these headers allows any website to embed HAX CMS pages within an iframe.
Exploitation
An unauthenticated attacker can craft a malicious webpage that loads the HAX CMS login page or other sensitive functionality (such as content editing or administration panels) in an invisible iframe. By overlaying deceptive UI elements, the attacker can trick a victim into performing unintended actions, such as clicking buttons or entering credentials, effectively conducting a clickjacking (UI redressing) attack [1][4].
Impact
Successful exploitation can lead to social engineering attacks where users unknowingly execute actions on the HAX CMS application, potentially compromising the integrity of the CMS or exposing sensitive data. The attack requires no authentication and can be launched from any external site [1][4].
Mitigation
The issue is fixed in haxcms-nodejs version 11.0.13 and haxcms-php version 11.0.8. The fix adds the frame-ancestors: 'self' directive to the Content-Security-Policy header, preventing the site from being loaded by other origins in an iframe [3]. Users are advised to update to the patched versions immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@haxtheweb/haxcms-nodejsnpm | < 11.0.13 | 11.0.13 |
elmsln/haxcmsPackagist | < 11.0.8 | 11.0.8 |
Affected products
3- Range: <=11.0.12
- haxtheweb/issuesv5Range: < 11.0.13
Patches
2708dc8518928https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j\#advisory-comment-132944
1 file changed · +3 −0
index.php+3 −0 modified@@ -2,6 +2,9 @@ if (!is_dir('_config') || !is_dir('_sites') || !is_dir('_archived') || !is_dir('_published')) { header("Location: install.php"); } +// CSP to prevent click-jacking on login page +header("Content-Security-Policy: frame-ancestors 'none'"); + include_once dirname(__FILE__) . '/system/backend/php/bootstrapHAX.php'; include_once $HAXCMS->configDirectory . '/config.php'; $appSettings = $HAXCMS->appJWTConnectionSettings('');
777f9a7ff967https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j
1 file changed · +1 −0
src/app.js+1 −0 modified@@ -27,6 +27,7 @@ var helmetPolicies = { defaultSrc: ["'self'", "data:", "https:"], objectSrc: ["'none'"], fontSrc: ["'self'", "data:", "fonts.gstatic.com"], + frameAncestors: ["'self'"], }, }, referrerPolicy: {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-54vw-f4xf-f92jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54139ghsaADVISORY
- github.com/haxtheweb/haxcms-nodejs/commit/777f9a7ff9675a160496f350d766df1f1f9b9b99ghsax_refsource_MISCWEB
- github.com/haxtheweb/haxcms-php/commit/708dc8518928fe307044e67bff8b0f397cfdd606ghsax_refsource_MISCWEB
- github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.