6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49138

GHSA ID

GHSA-hxrr-x32w-cg8g

EPSS Score

0.13582%

CWE

CWE-22

Published

6/9/2025

Updated

6/9/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49138

CVE-2025-49138:
HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

Summary

An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data).

Details

The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input.

Later the location parameter is interpreted by the CMS like in HAXCMSSite.php line 1248 to resolve and load the content for a given node. If the location field contains a relative path like ../../../etc/passwd, the application will attempt to read and render that file.

PoC

Authenticate to the CMS and retrieve the JWT and CSRF token.
Issue a POST request to /system/api/saveOutline with the path traversal injection via the location parameter :

Curl the website root to see the file contents.

passwd

Impact

This is an authenticated Local File Inclusion (LFI) vulnerability, via the location parameter the attacker can read any file on the filesystem that is accessible by the www-data user.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49138

GHSA ID

GHSA-hxrr-x32w-cg8g

EPSS Score

0.13582%

CWE

CWE-22

Published

6/9/2025

Updated

6/9/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elmsln/haxcms	composer	< 11.0.0	11.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-hxrr-x32w-cg8g / CVE-2025-49138) is a Local File Inclusion in HAXCMS. It occurs in two stages:

An authenticated user makes a POST request to the /system/api/saveOutline endpoint. The location parameter in this request is not sanitized and is saved directly into the site.json file. The backend operation likely responsible for this is a method within Operations.php, such as saveManifest(), which handles saving the site's structure including item locations.
When HAXCMS subsequently processes this site.json to render a page or provide data for feeds/search, functions like HAXCMSSite::getPageContent(), JSONOutlineSchemaItem::readLocation(), HAXCMSSite::jsonFeedFormat(), HAXCMSSite::lunrSearchIndex(), RSS::rssItems(), and RSS::atomItems() read the tainted location value. In vulnerable versions, these functions used the location in file_get_contents() calls without adequate sanitization, allowing a path traversal payload (e.g., ../../../etc/passwd) to be executed, thus reading arbitrary files from the server.

The fixing commit 0dd3e98fe2fadd0793b667d4af2aac230980e0f8 addresses this by:

Introducing a new validation function HAXCMSSite::validatePageLocation() which checks if a path is within the allowed site directory and strips ../ and ./.
Applying this validation and/or direct str_replace sanitization in all identified functions that consume the location parameter before passing it to file_get_contents().
Adding broader input sanitization using filter_var and strip_tags in various data handling functions in Operations.php and HAXCMSSite.php.

Therefore, the primary vulnerable functions are those involved in saving the unsanitized path and those involved in reading files using that path.

Vulnerable functions

Operations::saveManifest

system/backend/php/lib/Operations.php

This function is responsible for saving the site manifest (site.json), which includes the outline of site items and their 'location' properties. In the vulnerable version, it did not sanitize the 'location' field received from the saveOutline API call, allowing a path traversal payload to be written into site.json.

HAXCMSSite::getPageContent

system/backend/php/lib/HAXCMSSite.php

This function retrieves the content of a page based on the 'location' field of a page object (derived from site.json). In the vulnerable version, it directly used the 'location' in a file_get_contents call without proper sanitization or validation, leading to LFI if the 'location' contained a path traversal payload. This is the function mentioned at line 1248 in the vulnerable version.

JSONOutlineSchemaItem::readLocation

system/backend/php/lib/JSONOutlineSchemaItem.php

This method reads the content of a file specified by the item's 'location' property. In the vulnerable version, it used the 'location' directly in file_get_contents without sanitizing path traversal characters, making it vulnerable to LFI.

HAXCMSSite::jsonFeedFormat

system/backend/php/lib/HAXCMSSite.php

This function generates a JSON feed and includes page content using file_get_contents based on item location. It was vulnerable to LFI and was patched by adding a call to `validatePageLocation`.

HAXCMSSite::lunrSearchIndex

system/backend/php/lib/HAXCMSSite.php

This function generates a search index and includes page content using file_get_contents based on item location. It was vulnerable to LFI and was patched by adding a call to `validatePageLocation`.

RSS::rssItems

system/backend/php/lib/RSS.php

This function generates RSS feed items and includes page content using file_get_contents based on item location. It was vulnerable to LFI and was patched by adding `str_replace` to sanitize the location.

RSS::atomItems

system/backend/php/lib/RSS.php

This function generates Atom feed items and includes page content using file_get_contents based on item location. It was vulnerable to LFI and was patched by adding `str_replace` to sanitize the location.

WAF Protection Rules

WAF Rule

### Summ*ry *n *ut**nti**t** Lo**l *il* In*lusion (L*I) vuln*r**ility in t** **X*MS s*v*Outlin* *n*point *llows * low-privil**** us*r to r*** *r*itr*ry *il*s on t** s*rv*r *y m*nipul*tin* t** lo**tion *i*l* writt*n into sit*.json. T*is *n**l*s *tt**k

Reasoning

T** vuln*r**ility (**S*-*xrr-x**w-**** / *V*-****-*****) is * Lo**l *il* In*lusion in **X*MS. It o**urs in two st***s: *. *n *ut**nti**t** us*r m*k*s * POST r*qu*st to t** `/syst*m/*pi/s*v*Outlin*` *n*point. T** `lo**tion` p*r*m*t*r in t*is r*qu*st i

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-49138: HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

Summary

Details

PoC

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-49138:
HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter

Vulnerability Intelligence
Miggo AI