Description

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue.

INFO

Published Date :

2025-06-09T21:08:44.391Z

Last Modified :

2025-06-10T15:29:40.105Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49139 vulnerability.

Vendors Products
Psu
  • Haxcms-nodejs
  • Haxcms-php
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49139.

URL Resource
https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5 cve-icon cve-icon
https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact