CVE-2026-35185

CVSS v4.0

8.7

High

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 25.0.0

Description HAX CMS, used for managing microsite universes with PHP or NodeJs backends, has an issue where the /server-status endpoint is publicly accessible in versions prior to 25.0.0. This exposure allows unauthenticated users to access sensitive information, including authentication tokens (user token), user activity, client IP addresses, and server configuration details, enabling monitoring of real-time user interactions and gathering of internal infrastructure information.

Recommendations Update to version 25.0.0 or later.

Fix

Improper Access Control

Insufficiently Protected Credentials

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-522CWE-532

Related Identifiers

CVE-2026-35185

Affected Products

Hax Cms

CVE-2026-35185

Weakness Enumeration

Related Identifiers

Affected Products

References · 4