CVE-2025-49138: 
PHP vulnerability analysis and mitigation

HAX CMS PHP contains an authenticated Local File Inclusion (LFI) vulnerability (CVE-2025-49138) discovered in June 2025. The vulnerability affects versions prior to 11.0.0 and exists in the HAXCMS saveOutline endpoint, allowing low-privileged users to read arbitrary files on the server by manipulating the location field written into site.json (GitHub Advisory).

The vulnerability stems from improper handling of the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file without validation or sanitization. The location parameter is later interpreted by the CMS to resolve and load content for a given node, allowing path traversal attacks. The vulnerability has been classified under CWE-73 (External Control of File Name or Path) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). It has been assigned a CVSS score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The CVSS scoring indicates high impact on confidentiality while integrity and availability remain unaffected (GitHub Advisory).

The vulnerability has been patched in version 11.0.0 of HAX CMS PHP. Organizations are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).