Arbitrary JavaScript Code Execution in HAX CMS PHP
CVE-2025-49137

6.1MEDIUM

Key Information:

Vendor: Haxtheweb
Status: Issues
Vendor: CVE Published:; 9 June 2025

What is CVE-2025-49137?

HAX CMS PHP prior to version 11.0.0 is susceptible to a security vulnerability where insufficient input sanitization allows for arbitrary JavaScript code execution. The application features 'saveNode' and 'saveManifest' endpoints that accept user input, which is then incorporated into the JSON schema of the microsite. Although direct script tags are restricted, other HTML tags can still be utilized to run JavaScript, potentially compromising user interactions and data integrity. Version 11.0.0 addresses this vulnerability, enhancing input validation and strengthening overall security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

issues < 11.0.0

References

https://github.com/haxtheweb/issues/security/advisories/G...

x_refsource_CONFIRM

https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 9, 2025
Vulnerability Reserved
Jun 2, 2025

JSON

Haxtheweb