CVE-2025-54137

Name of the Vulnerable Software and Affected Versions HAX CMS NodeJS versions 11.0.9 and below

Description HAX CMS NodeJS is distributed with hardcoded default credentials for user and superuser accounts and default private keys for JWTs. Users are not prompted to change these credentials or secrets during installation, and there is no way to change them through the user interface. An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories, potentially allowing access to unconfigured instances, site modification, and further attacks.

Recommendations HAX CMS NodeJS version 11.0.10 and later should be used.