Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Summary
An authenticated Server-Side Request Forgery (SSRF) vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.
Details
The createSite endpoint in HAXcms (v11.0.6) accepts a build.files parameter that allows an authenticated user to supply arbitrary URLs or local file paths. This input is processed without validation and ultimately fetched server-side using file_get_contents().
The data flow is as follows:
- User input (
build.files) is processed viaobject_to_array()into a PHP array - Assigned to
$filesToDownloadinOperations.php(line 2626) - Iterated over in
Operations.php(line 2730), where each entry is passed toHAXCMSFile::save()with bulk-import enabled
In HAXCMSFile.php (line 30), the following occurs:
file_get_contents($upload['tmp_name']);Here, tmp_name is attacker-controlled and may contain:
- External URLs (
http://attacker.com) - Internal services (
http://127.0.0.1) - Cloud metadata endpoints (
http://169.254.169.254) - Local file paths (
/etc/passwd,/proc/self/environ)
The bulk-import flag bypasses is_uploaded_file() validation, which normally ensures the file originates from a legitimate upload. The only restriction is an extension whitelist based on the filename (array key), which is fully attacker-controlled.
There are no restrictions on:
- URL schemes (
http,file,gopher, etc.) - Destination IP ranges (internal, loopback, metadata services)
- Response content
All fetched content is written to:
sites/<sitename>/files/<filename>and is accessible via the web.
PoC
Prerequisites:
- Authenticated session (default credentials:
admin/adminon fresh installs) - Valid JWT and CSRF token
Step 1: Log in and capture JWT + CSRF token
Step 2: Send crafted request:
POST /createSite HTTP/1.1
Host: target
Authorization: Bearer [JWT]
X-CSRF-Token: [TOKEN]
Content-Type: application/json
{
"site": {
"name": "poc"
},
"build": {
"files": {
"poc.txt": {
"tmp_name": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}
}
}
}Step 3: Retrieve response:
GET /sites/poc/files/poc.txtThe response will contain the fetched content (e.g., cloud credentials or internal service data).
Impact
- SSRF enabling access to internal network services
- Arbitrary file read via local filesystem paths
- Cloud credential exposure through metadata endpoints
- Data exfiltration via web-accessible file storage
Any authenticated user can exploit this to access sensitive server or infrastructure data, potentially leading to full system or cloud environment compromise.
AnalysisAI
Server-Side Request Forgery in HAXcms (versions <= 25.0.0 of @haxtheweb/haxcms-nodejs, with PoC against v11.0.6) allows authenticated low-privileged users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. This produces arbitrary file read, internal network reconnaissance, and cloud metadata credential theft. Publicly available exploit code exists in the GHSA advisory, though no CISA KEV listing is present.
Technical ContextAI
HAXcms is an open-source headless CMS distributed as the npm package @haxtheweb/haxcms-nodejs, but the vulnerable code path is the PHP backend component. The root cause is CWE-918 (Server-Side Request Forgery): the createSite endpoint deserializes attacker-controlled JSON into $filesToDownload (Operations.php line 2626), iterates the entries (line 2730), and passes each item to HAXCMSFile::save() with a bulk-import flag. In HAXCMSFile.php line 30, the code calls file_get_contents($upload['tmp_name']) where tmp_name is fully attacker-controlled. The bulk-import flag deliberately skips PHP's is_uploaded_file() check, and file_get_contents() in PHP supports multiple URL wrappers (http, https, ftp, file, gopher under some configurations), so the input is treated as a stream URL rather than an actual uploaded temp file. The only validation is an extension whitelist applied to the JSON key (filename), which the attacker also controls.
RemediationAI
Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs to version 26.0.0 or later, per the GHSA-q862-gcgq-5m6g advisory at https://github.com/haxtheweb/issues/security/advisories/GHSA-q862-gcgq-5m6g. Operators who cannot immediately upgrade should rotate or remove default admin/admin credentials and enforce strong authentication on the /createSite endpoint, then restrict outbound network egress from the HAXcms host so it cannot reach internal RFC1918 ranges, loopback, or cloud metadata endpoints (169.254.169.254, fd00:ec2::254) - note this will break any legitimate outbound import workflows. Where feasible, place a reverse proxy or WAF rule in front of /createSite to reject requests whose build.files entries contain scheme prefixes (http://, https://, file://, gopher://, ftp://) or absolute filesystem paths, and consider revoking IMDSv1 in favor of IMDSv2 with hop-limit 1 on cloud instances to neutralize the metadata-exfiltration path.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34884
GHSA-q862-gcgq-5m6g