CVE-2025-54127

Name of the Vulnerable Software and Affected Versions HAXcms versions prior to 11.0.7

Description HAXcms with a nodejs backend allows users to start the server in any HAXsite or HAXcms instance. The NodeJS version of HAXcms, in versions 11.0.6 and below, uses an insecure default configuration intended for local development. This configuration lacks session authentication because the HAXCMS DISABLE JWT CHECKS variable is set to true by default.

Recommendations HAXcms versions prior to 11.0.7: Update to version 11.0.7 or later.