CVE-2025-49139: 
JavaScript vulnerability analysis and mitigation

CVE-2025-49139 is a security vulnerability discovered in HAX CMS PHP, affecting versions prior to 11.0.0. The vulnerability was disclosed on June 9, 2025, and involves the HAX site editor's website block functionality that allows loading external sites in an iframe. This feature enables users to supply target URLs for website blocks, which when visited, causes the client's browser to query the supplied URL (GitHub Advisory, Wiz).

The vulnerability is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) and has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. The technical issue lies in the Operations.php file at line 868, specifically in the system/api/saveNode endpoint, where the application fails to properly restrict iframe content sources (GitHub Advisory).

The vulnerability allows an authenticated attacker to create a HAX site with a website block pointing to an attacker-controlled server running Responder or similar tools. This can be exploited to conduct phishing attacks by convincing users to visit the malicious HAX site, potentially leading to credential harvesting (GitHub Advisory).

The vulnerability has been patched in version 11.0.0 of both haxcms-nodejs.operations (npm) and haxcms-php.operations (php) packages. Users are advised to upgrade to this version to address the security issue (GitHub Advisory).