CVE-2025-54378: HAX CMS API Lacks Authorization Checks
(updated )
The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation.
References
- github.com/advisories/GHSA-9jr9-8ff3-m894
- github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969
- github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd
- github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894
- nvd.nist.gov/vuln/detail/CVE-2025-54378
Code Behaviors & Features
Detect and mitigate CVE-2025-54378 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →