pkg:npm/@haxtheweb/haxcms-nodejs

所有已知漏洞

• HIGH8.7CVE-2026-48527HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint
  from 0, < 26.0.1
• HIGH8.5CVE-2025-49141HaxCMS-PHP Command Injection Vulnerability
  from 0, < 11.0.3
• HIGH8.3CVE-2025-54378HAX CMS API Lacks Authorization Checks
  from 0, < 11.0.14
• HIGH8.0CVE-2026-22704HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
  >= 11.0.6, < 25.0.0
• HIGH7.3CVE-2025-54137NodeJS version of the HAX CMS application is distributed with Default Secrets
  from 0, < 11.0.10
• MEDIUM6.5CVE-2026-46357HAX CMS: Denial of Service using Malicious Import Request
  from 0, < 26.0.0
• MEDIUM5.3CVE-2025-49139@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
  from 0, < 11.0.0
• MEDIUM4.3CVE-2025-54139HAX CMS application pages vulnerable to clickjacking
  from 0, < 11.0.13
• —CVE-2026-46511HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
  from 0, < 26.0.0
• —CVE-2026-46396Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
  from 0, < 26.0.0
• —CVE-2026-46395HAXcms: Private Key Disclosure via Broken HMAC Implementation
  from 0, < 26.0.0
• —CVE-2026-46496HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
  from 0, < 26.0.0
• —CVE-2026-46393HAXcms createSite SSRF Enables Arbitrary File Read
  from 0, < 26.0.0
• —CVE-2025-54134HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
  from 0, < 11.0.9
• —CVE-2025-54128NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
  from 0, < 11.0.8
• —CVE-2025-54127NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
  from 0, < 11.0.7