CVE-2026-35185

UNKNOWN 0.0

HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

19th

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.

CWE	CWE-284 CWE-522 CWE-532
Vendor	haxtheweb
Product	haxiam
Published	Apr 6, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for haxtheweb haxiam

Be the first to know when new unknown vulnerabilities affecting haxtheweb haxiam are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

haxtheweb / HAXiam

< 25.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/haxtheweb/issues/security/advisories/GHSA-3676-wj6r-hwh7