npm package

@haxtheweb/haxcms-nodejs

pkg:npm/%40haxtheweb/haxcms-nodejs

Vulnerabilities (9)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-22704	—	>= 11.0.6, < 25.0.0	25.0.0	Jan 10, 2026	HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
CVE-2025-54378	—	< 11.0.14	11.0.14	Jul 26, 2025	HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP ve
CVE-2025-54139	—	< 11.0.13	11.0.13	Jul 22, 2025	HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading th
CVE-2025-54137	—	< 11.0.10	11.0.10	Jul 22, 2025	HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't p
CVE-2025-54134	—	< 11.0.9	11.0.9	Jul 21, 2025	HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFi
CVE-2025-54128	—	< 11.0.8	11.0.8	Jul 21, 2025	HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect
CVE-2025-54127	—	< 11.0.7	11.0.7	Jul 21, 2025	HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorizatio
CVE-2025-49141	—	< 11.0.3	11.0.3	Jun 9, 2025	HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `pro
CVE-2025-49139	—	< 11.0.0	11.0.0	Jun 9, 2025	HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the

CVE-2026-22704Jan 10, 2026
affected >= 11.0.6, < 25.0.0fixed 25.0.0
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
CVE-2025-54378Jul 26, 2025
affected < 11.0.14fixed 11.0.14
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP ve
CVE-2025-54139Jul 22, 2025
affected < 11.0.13fixed 11.0.13
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading th
CVE-2025-54137Jul 22, 2025
affected < 11.0.10fixed 11.0.10
HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't p
CVE-2025-54134Jul 21, 2025
affected < 11.0.9fixed 11.0.9
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFi
CVE-2025-54128Jul 21, 2025
affected < 11.0.8fixed 11.0.8
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect
CVE-2025-54127Jul 21, 2025
affected < 11.0.7fixed 11.0.7
HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorizatio
CVE-2025-49141Jun 9, 2025
affected < 11.0.3fixed 11.0.3
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `pro
CVE-2025-49139Jun 9, 2025
affected < 11.0.0fixed 11.0.0
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the