Information disclosure in Haxtheweb Haxiam
CVE-2026-35185
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client…
EPSS: 0.001 (27.8th percentile) — read the EPSS interpretation.
Affected products
- Haxtheweb Haxiam — versions < 25.0.0
Weakness classification (CWE)
References
- https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7 (x_refsource_CONFIRM)