The HAX CMS system exposes an authenticated local file inclusion flaw in the saveOutline endpoint. By manipulating the location parameter that is written into site.json, a low‑privileged authenticated user can read arbitrary files on the server. This includes sensitive files such as /etc/passwd, application secrets, or other configuration files accessible to the web server process. The flaw does not allow code execution, but it provides an easy means to exfiltrate confidential information. The weakness is a classic path traversal issue, classified as CWE‑22 and CWE‑73.

Vendors affected are haxtheweb, with HAXCMS backends implemented in both PHP and Node.js. Any deployment of either HAXCMS‑nodejs or HAXCMS‑php running a version earlier than 26.0.0 is vulnerable. The issue is fixed in version 26.0.0 of both frameworks.

The CVSS score of 6.5 indicates a medium severity, with an impact on confidentiality through information disclosure. Because the vulnerability requires authentication, the attack surface is limited to users who can authenticate to the CMS; a low‑privileged user can still exploit the flaw. EPSS data is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA's KEV catalog, suggesting no known widespread exploitation. Based on the description, the likely attack vector is via the authenticated API endpoint saveOutline, where an attacker crafts a location value that navigates to arbitrary paths relative to the site.json file, causing the CMS to expose the contents of those files.