CVE-2025-49137: 
PHP vulnerability analysis and mitigation

CVE-2025-49137 affects HAX CMS PHP, a content management system that allows users to manage their microsite universe with a PHP backend. The vulnerability was discovered and disclosed on June 9, 2025, affecting versions prior to 11.0.0. The issue stems from insufficient sanitization of user input in the 'saveNode' and 'saveManifest' endpoints, which allows for the execution of arbitrary JavaScript code (GitHub Advisory, NVD).

The vulnerability exists in the application's handling of user input through the 'saveNode' and 'saveManifest' endpoints. These endpoints store user input in the JSON schema for the site, which is then rendered in the generated HAX site. While the application blocks direct use of script tags, it fails to prevent the execution of JavaScript through other HTML tags. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, indicating network accessibility with low attack complexity (GitHub Advisory).

An authenticated attacker can exploit this vulnerability to store malicious payloads in a HAX site which execute arbitrary JavaScript when users visit the site. This can lead to the theft of user session cookies and other sensitive data. The vulnerability affects both the site editor and settings editor functionalities (GitHub Advisory).

The vulnerability has been fixed in version 11.0.0 of HAX CMS PHP. Users are advised to upgrade to this version to protect against potential attacks (NVD, GitHub Advisory).