CVE-2025-48996

Name of the Vulnerable Software and Affected Versions HAX open-apis versions up to and including 10.0.2

Description An unauthenticated information disclosure issue exists in the HAX content management system via the haxPsuUsage API endpoint. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When combined with other authorization issues, this could assist in targeted attacks such as unauthorized content modification or deletion.

Recommendations For HAX open-apis versions up to and including 10.0.2, apply the patch from commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7 to resolve the issue. As a temporary workaround, consider restricting access to the haxPsuUsage API endpoint until the patch is applied.