CVE-2025-49138: HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

June 9, 2025

An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data).

References

github.com/advisories/GHSA-hxrr-x32w-cg8g
github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php
github.com/haxtheweb/issues
github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g
nvd.nist.gov/vuln/detail/CVE-2025-49138

Code Behaviors & Features

Detect and mitigate CVE-2025-49138 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →