What is the CVSS score of EUVD-2025-17562?

EUVD-2025-17562 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by EUVD-2025-17562?

HAX CMS PHP versions prior to 11.0.0 contain a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript through the 'saveNode' and 'saveManifest'…. A patch is available.

Is there a public PoC exploit available for EUVD-2025-17562?

Yes, a public proof-of-concept exploit is available for EUVD-2025-17562. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-17562?

Within 24 hours: Identify all HAX CMS instances and their version numbers; assess whether any are running versions prior to 11.0.0. Within 7 days: Apply vendor patch to upgrade all affected instances to version 11.0.0 or later; conduct testing in a non-production environment first. Within 30 days: Perform security audit of HAX CMS deployments to identify any evidence of prior exploitation; review access logs for suspicious 'saveNode' and 'saveManifest' API calls.

PHP EUVD-2025-17562

| CVE-2025-49137 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-09 security-advisories@github.com

GHSA-2vc4-3hx7-v7v7

PHP XSS Haxcms Php Haxcms Nodejs

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17562

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

Patch released

Mar 14, 2026 - 19:21 nvd

Patch available

PoC Detected

Jul 30, 2025 - 17:36 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 21:15 nvd

HIGH 8.5

DescriptionGitHub Advisory

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a script tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.

AnalysisAI

HAX CMS PHP versions prior to 11.0.0 contain a stored cross-site scripting (XSS) vulnerability in the 'saveNode' and 'saveManifest' endpoints that fails to properly sanitize user input before storing it in the site's JSON schema. An authenticated attacker with low privileges can inject arbitrary JavaScript code through HTML tags (excluding direct <script> tags) that will execute in the context of generated HAX sites, potentially compromising site integrity and user data. The vulnerability has a high CVSS score of 8.5 due to network accessibility, low attack complexity, and cross-site impact, though real-world exploitation requires authenticated access and user interaction with the generated content.

Technical ContextAI

HAX CMS is a PHP-based headless content management system that allows users to manage microsite universes through a web interface. The vulnerability stems from insufficient input validation/output encoding in two critical endpoints: 'saveNode' and 'saveManifest'. These endpoints accept user-supplied JSON data that is stored directly in the site's JSON schema without proper sanitization. When the generated HAX site is rendered to end-users, this unsanitized content is rendered as HTML/JavaScript. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'), a stored XSS variant where malicious payloads persist in the application data store. The attack bypasses the application's blacklist of <script> tags by leveraging alternative HTML elements with event handlers (e.g., <img onerror=>, <svg onload=>, <iframe src=javascript:>) to achieve arbitrary JavaScript execution. This is a classic input validation bypass where the developer assumed blocking one vector (script tags) was sufficient, failing to implement comprehensive output encoding or Content Security Policy controls.

RemediationAI

Immediate Actions: (1) Upgrade HAX CMS to version 11.0.0 or later. This version includes fixes for insufficient input sanitization in the 'saveNode' and 'saveManifest' endpoints. (2) Patch Verification: After upgrade, verify that user input is properly sanitized and output-encoded; the fix likely implements one or more of: HTML entity encoding on output, HTML tag whitelist validation, or Content Security Policy headers. (3) Short-term Mitigations (if upgrade is delayed): Implement a Web Application Firewall (WAF) rule to block requests to 'saveNode' and 'saveManifest' endpoints containing event handler attributes (onerror, onload, onclick, etc.); restrict access to these endpoints to trusted admin IP ranges; or disable user-facing microsite generation until patched. (4) Post-Remediation: Audit existing HAX CMS data for malicious payloads in JSON schema; sanitize or remove any suspicious content. (5) Vendor Advisory: Check the HAX project's GitHub repository (https://github.com/elmsln/HAX) or official website for version 11.0.0 release notes and patch details. No direct vendor advisory link provided in source; consult project documentation.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2025-17562 vulnerability details – vuln.today

Back

PHP EUVD-2025-17562

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code