CVE-2025-54139

Name of the Vulnerable Software and Affected Versions HAX CMS versions 11.0.7 and below (PHP) HAX CMS versions 11.0.12 and below (NodeJS)

Description HAX CMS does not include headers to prevent websites from loading the application within an iframe. This affects both the CMS and generated sites. An unauthenticated attacker can load sensitive functionality, such as the login page, within an iframe, enabling a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to coerce users into performing unintended actions.

Recommendations HAX CMS versions 11.0.7 and below (PHP): Update to version 11.0.8 or later. HAX CMS versions 11.0.12 and below (NodeJS): Update to version 11.0.13 or later.