cvedb.io
CVE-2025-49139
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2025-06-09T21:15:47.203 · Last modified 2026-06-17T09:30:48.793

Summary

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue.

Affected products

psu — haxcms-nodejs

Does this affect you?

Add your gear to cvedb and we'll alert you only when psu ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.