Arbitrary JavaScript Code Execution in HAX CMS PHP
CVE-2025-49137

8.5HIGH

Key Information:

Vendor: Haxtheweb
Status: Issues
Vendor: CVE Published:; 9 June 2025

What is CVE-2025-49137?

HAX CMS PHP prior to version 11.0.0 is susceptible to a security vulnerability where insufficient input sanitization allows for arbitrary JavaScript code execution. The application features 'saveNode' and 'saveManifest' endpoints that accept user input, which is then incorporated into the JSON schema of the microsite. Although direct script tags are restricted, other HTML tags can still be utilized to run JavaScript, potentially compromising user interactions and data integrity. Version 11.0.0 addresses this vulnerability, enhancing input validation and strengthening overall security.

Affected Version(s)

issues < 11.0.0

References

https://github.com/haxtheweb/issues/security/advisories/G...

x_refsource_CONFIRM

https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2...

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2025
Vulnerability Reserved
Jun 2, 2025

Haxtheweb

What is CVE-2025-49137?

Affected Version(s)

References

CVSS V3.1

Timeline