CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-35185

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 20.5%

CVSS Severity

CVSS v3 Score 7.5

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7
https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7

Products affected by CVE-2026-35185

Psu » Haxiam » Version: 11.0.5

cpe:2.3:a:psu:haxiam:11.0.5

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-35185

Products

Pricing

Contact Us