CVE-2025-49139

Name of the Vulnerable Software and Affected Versions HAX CMS PHP versions prior to 11.0.0

Description The issue allows an authenticated attacker to create a HAX site with a website block that can load another site in an iframe, potentially leading to phishing attacks. When a user visits the malicious HAX site, their browser will query the supplied URL, which can be controlled by the attacker. This can be exploited by convincing another user to visit the malicious site, allowing the attacker to harvest credentials.

Recommendations For versions prior to 11.0.0, update to version 11.0.0 to resolve the issue. As a temporary workaround, consider restricting the use of the website block feature in the HAX site editor to minimize the risk of exploitation.