logo

Database

Clickjacking In @haxtheweb/haxcms-nodejs

Description

HAX CMS application pages vulnerable to clickjacking

Summary

All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites.

PoC

To replicate this vulnerability, load the target page in an iframe and observe the rendered content.

image

Impact

An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (Clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-541392. NVD-2025-541393. OSV-2025-541394. GHSA-54vw-f4xf-f92j5. GCVE-2025-54139

References

1. https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j2. https://github.com/haxtheweb/haxcms-nodejs/commit/777f9a7ff9675a160496f350d766df1f1f9b9b993. https://github.com/haxtheweb/haxcms-php/commit/708dc8518928fe307044e67bff8b0f397cfdd606

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.