CVE-2025-49141: HaxCMS-PHP Command Injection Vulnerability

June 9, 2025 (updated June 20, 2025)

The ‘gitImportSite’ functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.

References

github.com/advisories/GHSA-g4cf-pp4x-hqgw
github.com/haxtheweb/haxcms-nodejs
github.com/haxtheweb/haxcms-nodejs/commit/5131fea6b6be611db76a618f89bd2e164752e9b3
github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw
nvd.nist.gov/vuln/detail/CVE-2025-49141

Code Behaviors & Features

Detect and mitigate CVE-2025-49141 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →