CVE-2025-49138

Name of the Vulnerable Software and Affected Versions HAX CMS PHP versions prior to 11.0.0

Description The issue is related to an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint. This vulnerability allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. Attackers can exfiltrate sensitive system files, such as /etc/passwd, application secrets, or configuration files accessible to the web server. The vulnerability occurs because the HAXCMS backend handles the location field in the site's outline without validating or sanitizing the input. When a user sends a POST request to "/system/api/saveOutline", the backend stores the provided location value directly into the site.json file associated with the site. Later, the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like ../../../etc/passwd, the application will attempt to read and render that file.

Recommendations For versions prior to 11.0.0, update to version 11.0.0 to fix the issue. As a temporary workaround, consider restricting access to the "/system/api/saveOutline" endpoint to minimize the risk of exploitation. Additionally, restrict the use of the location field in the site's outline to prevent arbitrary file inclusion.