CVE-2025-54128

MEDIUM

haxcms-nodejs < 11.0.8 - Cross-Site Scripting via Disabled Content Security Policy

Title source: llm

Description

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This is fixed in version 11.0.8.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/haxtheweb/issues/security/advisories/GHSA-59g8-h59f-8hjp

Patch x_refsource_misc

https://github.com/haxtheweb/haxcms-nodejs/commit/ddb9351c6d6418008d4084a5b17fd6d611bc4e30

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0019

EPSS Percentile 8.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

haxtheweb/haxcms-nodejs 0 - 11.0.8npm

psu/haxcms-nodejs < 11.0.8

Published Jul 21, 2025

Tracked Since Feb 18, 2026