CVE-2025-54127CRITICAL 9.8EPSS p29.6%

CVE-2025-54127CVE-2025-54127

Description

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. This is fixed in version 11.0.7.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.6% · 2026-06-18T12:00:27Z
Published2025-07-21
Last modified2025-07-30

Underlying weaknesses· 1

CWE-1188

References

  1. https://github.com/haxtheweb/issues/security/advisories/GHSA-f38f-jvqj-mfg6

1

TypeTargetConfidenceTier
WeaknessInitialization of a Resource with an Insecure Defaultcwe-11880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-54378
CVE
CVE-2026-46395
CVE
CVE-2026-46357
CVE
CVE-2026-46398
CVE
CVE-2026-46401
CVE
CVE-2026-46511
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.