How to fix EUVD-2025-17562?

Within 24 hours: Identify all HAX CMS instances and their version numbers; assess whether any are running versions prior to 11.0.0. Within 7 days: Apply vendor patch to upgrade all affected instances to version 11.0.0 or later; conduct testing in a non-production environment first. Within 30 days: Perform security audit of HAX CMS deployments to identify any evidence of prior exploitation; review access logs for suspicious 'saveNode' and 'saveManifest' API calls.

Is PHP affected by EUVD-2025-17562?

HAX CMS PHP versions prior to 11.0.0 contain a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript through the 'saveNode' and 'saveManifest' endpoints.

EUVD-2025-17562

| CVE-2025-49137 HIGH

2025-06-09 [email protected]

GHSA-2vc4-3hx7-v7v7

8.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17562

Patch Released

Mar 14, 2026 - 19:21 nvd

Patch available

PoC Detected

Jul 30, 2025 - 17:36 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 21:15 nvd

HIGH 8.5

Description

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.

Analysis

HAX CMS PHP versions prior to 11.0.0 contain a stored cross-site scripting (XSS) vulnerability in the 'saveNode' and 'saveManifest' endpoints that fails to properly sanitize user input before storing it in the site's JSON schema. An authenticated attacker with low privileges can inject arbitrary JavaScript code through HTML tags (excluding direct <script> tags) that will execute in the context of generated HAX sites, potentially compromising site integrity and user data. The vulnerability has a high CVSS score of 8.5 due to network accessibility, low attack complexity, and cross-site impact, though real-world exploitation requires authenticated access and user interaction with the generated content.

Technical Context

HAX CMS is a PHP-based headless content management system that allows users to manage microsite universes through a web interface. The vulnerability stems from insufficient input validation/output encoding in two critical endpoints: 'saveNode' and 'saveManifest'. These endpoints accept user-supplied JSON data that is stored directly in the site's JSON schema without proper sanitization. When the generated HAX site is rendered to end-users, this unsanitized content is rendered as HTML/JavaScript. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'), a stored XSS variant where malicious payloads persist in the application data store. The attack bypasses the application's blacklist of <script> tags by leveraging alternative HTML elements with event handlers (e.g., <img onerror=>, <svg onload=>, <iframe src=javascript:>) to achieve arbitrary JavaScript execution. This is a classic input validation bypass where the developer assumed blocking one vector (script tags) was sufficient, failing to implement comprehensive output encoding or Content Security Policy controls.

Affected Products

HAX CMS PHP versions prior to 11.0.0. Specific affected versions are not enumerated in the provided description, but the advisory indicates all versions before 11.0.0 are vulnerable. The product is maintained by the HAX project (open-source). CPE data not provided in source material, but the affected software can be identified as: **Product**: HAX CMS, **Affected Versions**: < 11.0.0, **Fixed Version**: 11.0.0+, **Platform**: PHP-based web applications. Organizations using HAX CMS for microsite/website generation should audit their installed version immediately.

Remediation

**Immediate Actions**: (1) Upgrade HAX CMS to version 11.0.0 or later. This version includes fixes for insufficient input sanitization in the 'saveNode' and 'saveManifest' endpoints. (2) **Patch Verification**: After upgrade, verify that user input is properly sanitized and output-encoded; the fix likely implements one or more of: HTML entity encoding on output, HTML tag whitelist validation, or Content Security Policy headers. (3) **Short-term Mitigations** (if upgrade is delayed): Implement a Web Application Firewall (WAF) rule to block requests to 'saveNode' and 'saveManifest' endpoints containing event handler attributes (onerror, onload, onclick, etc.); restrict access to these endpoints to trusted admin IP ranges; or disable user-facing microsite generation until patched. (4) **Post-Remediation**: Audit existing HAX CMS data for malicious payloads in JSON schema; sanitize or remove any suspicious content. (5) **Vendor Advisory**: Check the HAX project's GitHub repository (https://github.com/elmsln/HAX) or official website for version 11.0.0 release notes and patch details. No direct vendor advisory link provided in source; consult project documentation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: +20

EUVD-2025-17562 vulnerability details – vuln.today

Back

EUVD-2025-17562

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-17562

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code