Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-5fpv-5qvh-7cf3

GitHub Security Advisory

NodeJS version of the HAX CMS application is distributed with Default Secrets

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Summary

The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI.

### Affected Resources

- [HAXCMS.js](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614) HAXCMSClass

### Impact

An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks.

Affected Packages

npm @haxtheweb/haxcms-nodejs
Affected versions: 0 (fixed in 11.0.10)

Related CVEs

CVE-2025-54137

Key Information

GHSA ID
GHSA-5fpv-5qvh-7cf3
Published
July 21, 2025 7:53 PM
Last Modified
July 23, 2025 1:36 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
@haxtheweb/haxcms-nodejs
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 25, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.