CVE-2025-48996: Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint

June 5, 2025

An unauthenticated information disclosure vulnerability exists in the PSU deployment of HAX CMS via the haxPsuUsage API endpoint. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion.

References

github.com/advisories/GHSA-fvx2-x7ff-fc56
github.com/haxtheweb/issues
github.com/haxtheweb/issues/security/advisories/GHSA-fvx2-x7ff-fc56
github.com/haxtheweb/open-apis/commit/06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7
nvd.nist.gov/vuln/detail/CVE-2025-48996

Code Behaviors & Features

Detect and mitigate CVE-2025-48996 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →