CVE-2025-49138 is a path traversal vulnerability affecting versions of the HAX CMS PHP backend prior to 11.0.0. HAX CMS is a content management system designed to manage microsites, with a PHP backend that handles site content and configuration. The vulnerability exists in the saveOutline API endpoint (/system/api/saveOutline), which allows authenticated users with low privileges to submit a POST request containing a location field. This location field is stored directly into the site.json file without any validation or sanitization. Later, when the CMS processes this location field to load content nodes, it interprets relative paths literally. An attacker can exploit this by submitting a crafted relative path such as '../../../etc/passwd', causing the backend to read and render arbitrary files on the server filesystem that are accessible to the web server user (commonly www-data). This Local File Inclusion (LFI) vulnerability enables attackers to exfiltrate sensitive files including system files (e.g., /etc/passwd), application secrets, or configuration files, potentially exposing credentials or other sensitive information. The vulnerability stems from improper limitation of pathname traversal (CWE-22) and improper handling of file paths (CWE-73). The issue is resolved in version 11.0.0 of HAX CMS, which implements proper validation and sanitization of the location field to prevent directory traversal. The CVSS v3.1 base score is 6.5 (medium severity) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network exploitable, low attack complexity, requiring low privileges but no user interaction, with high confidentiality impact but no integrity or availability impact. No known exploits are currently reported in the wild.

For European organizations using HAX CMS versions prior to 11.0.0, this vulnerability poses a significant confidentiality risk. Attackers with low-level authenticated access can read arbitrary files on the server, potentially exposing sensitive system information, user credentials, or application secrets. This could lead to further compromise if attackers leverage exposed credentials or configuration details to escalate privileges or pivot within the network. Although the vulnerability does not directly impact integrity or availability, the exposure of confidential data can have severe consequences including data breaches, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial penalties. Organizations hosting microsites or internal portals using vulnerable HAX CMS instances are particularly at risk. Since exploitation requires authentication, insider threats or compromised user accounts increase risk. The lack of user interaction requirement facilitates automated exploitation once credentials are obtained. Given the medium severity and the nature of the vulnerability, European entities should prioritize patching to prevent data exfiltration and maintain compliance with data protection regulations.

1. Immediate upgrade to HAX CMS version 11.0.0 or later, which contains the fix for this vulnerability by properly validating and sanitizing the location field input. 2. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block requests containing suspicious relative path traversal patterns (e.g., '../') in the location parameter of the /system/api/saveOutline endpoint. 3. Restrict access to the saveOutline API endpoint to only trusted, authenticated users with a need to modify site outlines, and enforce strong authentication and session management controls to reduce risk of credential compromise. 4. Conduct regular audits of site.json files and server logs to detect unusual file access patterns or unauthorized modifications. 5. Implement file system permissions to limit the web server user’s read access strictly to necessary directories, minimizing exposure of sensitive files even if traversal is attempted. 6. Educate developers and administrators on secure coding practices related to input validation and path handling to prevent similar issues in custom extensions or integrations. 7. Monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability to enable rapid incident response.