6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49138

CVE-2025-49138: HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

Summary

An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data).

Details

The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input.

Later the location parameter is interpreted by the CMS like in HAXCMSSite.php line 1248 to resolve and load the content for a given node. If the location field contains a relative path like ../../../etc/passwd, the application will attempt to read and render that file.

PoC

Authenticate to the CMS and retrieve the JWT and CSRF token.
Issue a POST request to /system/api/saveOutline with the path traversal injection via the location parameter :

Curl the website root to see the file contents.

passwd

Impact

This is an authenticated Local File Inclusion (LFI) vulnerability, via the location parameter the attacker can read any file on the filesystem that is accessible by the www-data user.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-49138

CVE-2025-49138:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elmsln/haxcms	composer	< 11.0.0	11.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-hxrr-x32w-cg8g / CVE-2025-49138) is a Local File Inclusion in HAXCMS. It occurs in two stages:

An authenticated user makes a POST request to the /system/api/saveOutline endpoint. The location parameter in this request is not sanitized and is saved directly into the site.json file. The backend operation likely responsible for this is a method within Operations.php, such as saveManifest(), which handles saving the site's structure including item locations.
When HAXCMS subsequently processes this site.json to render a page or provide data for feeds/search, functions like HAXCMSSite::getPageContent(), JSONOutlineSchemaItem::readLocation(), HAXCMSSite::jsonFeedFormat(), HAXCMSSite::lunrSearchIndex(), RSS::rssItems(), and RSS::atomItems() read the tainted location value. In vulnerable versions, these functions used the location in file_get_contents() calls without adequate sanitization, allowing a path traversal payload (e.g., ../../../etc/passwd) to be executed, thus reading arbitrary files from the server.

The fixing commit 0dd3e98fe2fadd0793b667d4af2aac230980e0f8 addresses this by:

Introducing a new validation function HAXCMSSite::validatePageLocation() which checks if a path is within the allowed site directory and strips ../ and ./.
Applying this validation and/or direct str_replace sanitization in all identified functions that consume the location parameter before passing it to file_get_contents().
Adding broader input sanitization using filter_var and strip_tags in various data handling functions in Operations.php and HAXCMSSite.php.

Therefore, the primary vulnerable functions are those involved in saving the unsanitized path and those involved in reading files using that path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-49138: HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

Summary

Details

PoC

Impact

CVE-2025-49138:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

Basic Information

Basic Information

Technical Details

CVE-2025-49138: HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI