CVE-2025-53642 MEDIUM

CVE-2025-53642: haxcms-nodejs and haxcms-php Improperly Terminate Sessions

Vendor Haxtheweb

Product issues

Weakness CWE-613 · Insufficient session expiration

Published July 11, 2025

Last update July 14, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

Description

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.

Key dates

Disclosure timeline

July 11, 2025 CVE published

July 14, 2025 Record updated