Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure via public endpoint
Action: Update software
AI Analysis

Impact

The vulnerability lies in the /server-status endpoint of HAX CMS, which is publicly accessible in versions before 25.0.0. An unauthenticated request to this endpoint returns authentication tokens, user activity, client IP addresses, and server configuration data. This exposure allows an attacker to harvest valid session tokens and observe user interactions in real time, potentially facilitating credential compromise and unauthorized system access.

Affected Systems

The affected product is HAX CMS (HAXiam) from haxtheweb. All installations running a version earlier than 25.0.0 are vulnerable. The issue was addressed in the 25.0.0 release.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The attack vector is simple: any user with network access can send an unauthenticated GET request to /server-status. No authentication or privileged access is required. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not yet be widely exploited but could be leveraged by an attacker due to its ease of access.

Generated by OpenCVE AI on April 7, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS to version 25.0.0 or newer according to the vendor’s release notes.
  • If an upgrade cannot be performed immediately, block public access to the /server-status endpoint, for example by adjusting web server configuration or adding authentication.
  • Verify that the endpoint no longer returns authentication tokens and other sensitive data after mitigation measures are applied.

Generated by OpenCVE AI on April 7, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb hax
Vendors & Products Haxtheweb
Haxtheweb hax

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.
Title HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses
Weaknesses CWE-284
CWE-522
CWE-532
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Haxtheweb Hax
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:10:10.078Z

Reserved: 2026-04-01T17:26:21.134Z

Link: CVE-2026-35185

cve-icon Vulnrichment

Updated: 2026-04-07T15:05:32.569Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:27.040

Modified: 2026-04-07T16:16:25.540

Link: CVE-2026-35185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:27Z

Weaknesses