{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35185", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.134Z", "datePublished": "2026-04-06T19:24:57.425Z", "dateUpdated": "2026-04-07T15:10:10.078Z"}, "containers": {"cna": {"title": "HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7"}], "affected": [{"vendor": "haxtheweb", "product": "HAXiam", "versions": [{"version": "< 25.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:24:57.425Z"}, "descriptions": [{"lang": "en", "value": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0."}], "source": {"advisory": "GHSA-3676-wj6r-hwh7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:05:23.079092Z", "id": "CVE-2026-35185", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:10:10.078Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses", "source": {"advisory": "GHSA-3676-wj6r-hwh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "haxtheweb", "product": "HAXiam", "versions": [{"status": "affected", "version": "< 25.0.0"}]}], "references": [{"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7", "name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:24:57.425Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35185", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:05:23.079092Z"}}}], "references": [{"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T15:05:32.569Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35185", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:24:57.425Z", "dateReserved": "2026-04-01T17:26:21.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T19:24:57.425Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0."}], "id": "CVE-2026-35185", "lastModified": "2026-04-07T16:16:25.540", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:27.040", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.0.0)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "HAXiam", "source": "cna", "vendor": "haxtheweb"}, "product": "hax", "vendor": "haxtheweb"}], "analysis": {"en": {"generated_at": "2026-04-07T01:37:37.524354+00:00", "value": {"mitigation_remediation": ["Upgrade HAX CMS to version 25.0.0 or newer according to the vendor\u2019s release notes.", "If an upgrade cannot be performed immediately, block public access to the /server-status endpoint, for example by adjusting web server configuration or adding authentication.", "Verify that the endpoint no longer returns authentication tokens and other sensitive data after mitigation measures are applied."], "summary": {"action": "Update software", "impact": "Sensitive data exposure via public endpoint"}, "threat_synthesis": {"affected_systems": "The affected product is HAX CMS (HAXiam) from haxtheweb. All installations running a version earlier than 25.0.0 are vulnerable. The issue was addressed in the 25.0.0 release.", "description_and_impact": "The vulnerability lies in the /server-status endpoint of HAX CMS, which is publicly accessible in versions before 25.0.0. An unauthenticated request to this endpoint returns authentication tokens, user activity, client IP addresses, and server configuration data. This exposure allows an attacker to harvest valid session tokens and observe user interactions in real time, potentially facilitating credential compromise and unauthorized system access.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity vulnerability. The attack vector is simple: any user with network access can send an unauthenticated GET request to /server-status. No authentication or privileged access is required. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it may not yet be widely exploited but could be leveraged by an attacker due to its ease of access."}}}}, "created": "2026-04-07T06:54:25.876724+00:00", "updated": "2026-04-07T09:37:27.820455+00:00", "vendors": ["haxtheweb", "haxtheweb$PRODUCT$hax"]}