216.73.217.22

CVE-2025-54127

· Published 21/07/2025 21:15 · Modified 22/07/2025 13:05

Labels: CVE-2025-54127 2025-07-21CVE-2025-54127CWE-1188[email protected]

Essential information

Published
21/07/2025 21:15
Modified
22/07/2025 13:05
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. This is fixed in version 11.0.7.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
haxcms / haxcms cpe:2.3:a:haxcms:haxcms:11.0.6:*:*:*:*:*:*:*
haxcms / haxcms cpe:2.3:a:haxcms:haxcms:11.0.7:*:*:*:*:*:*:*

References