pkg:npm/@haxtheweb/haxcms-nodejs

All known vulnerabilities

• HIGH8.7CVE-2026-48527HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint
  from 0, < 26.0.1
• HIGH8.5CVE-2025-49141HaxCMS-PHP Command Injection Vulnerability
  from 0, < 11.0.3
• HIGH8.3CVE-2025-54378HAX CMS API Lacks Authorization Checks
  from 0, < 11.0.14
• HIGH8.0HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
  >= 11.0.6, < 25.0.0
• HIGH7.3NodeJS version of the HAX CMS application is distributed with Default Secrets
  from 0, < 11.0.10
• MEDIUM6.5HAX CMS: Denial of Service using Malicious Import Request
  from 0, < 26.0.0
• MEDIUM5.3@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
  from 0, < 11.0.0
• MEDIUM4.3HAX CMS application pages vulnerable to clickjacking
  from 0, < 11.0.13
• —HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
  from 0, < 26.0.0
• —Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
  from 0, < 26.0.0
• —HAXcms: Private Key Disclosure via Broken HMAC Implementation
  from 0, < 26.0.0
• —HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
  from 0, < 26.0.0
• —HAXcms createSite SSRF Enables Arbitrary File Read
  from 0, < 26.0.0
• —HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
  from 0, < 11.0.9
• —NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
  from 0, < 11.0.8
• —NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
  from 0, < 11.0.7