Cyber Resilience

CVE-2026-35185

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35185 is a high-severity Improper Access Control (CWE-284) vulnerability in Psu Haxiam. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-35185 affects HAX CMS, a platform for managing microsites with PHP or Node.js backends, in versions prior to 25.0.0. The vulnerability stems from the /server-status endpoint being publicly accessible without authentication, which exposes sensitive information such as authentication tokens (user_token), real-time user activity, client IP addresses, and server configuration details. Rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and associated with CWEs-284 (Improper Access Control), CWE-522 (Insufficiently Protected Credentials), and CWE-532 (Information Exposure Through Log Files), it enables unauthorized information disclosure.

Any unauthenticated attacker with network access can exploit this vulnerability by simply querying the /server-status endpoint, requiring no privileges, user interaction, or special conditions. Successful exploitation allows the attacker to monitor live user interactions across the platform and harvest internal infrastructure details, potentially facilitating further attacks like token replay, targeted phishing, or reconnaissance for lateral movement.

The GitHub security advisory (GHSA-3676-wj6r-hwh7) confirms the issue is resolved in HAX CMS version 25.0.0, where the endpoint is no longer publicly accessible. Security practitioners should prioritize upgrading to this version or later and review access logs for anomalous /server-status requests to detect prior exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any…

more

unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Publicly accessible /server-status endpoint without auth in public-facing app directly enables T1190 (exploiting public-facing application for initial access/info disclosure), T1552 (harvesting exposed authentication tokens as unsecured credentials), and T1082 (obtaining server configuration and infrastructure details).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22704Same vendor: Psu
CVE-2025-57266Shared CWE-284
CVE-2026-22782Shared CWE-532
CVE-2026-35467Shared CWE-522
CVE-2025-25381Shared CWE-284
CVE-2026-22566Shared CWE-284
CVE-2020-37097Shared CWE-522
CVE-2025-69907Shared CWE-284
CVE-2024-38291Shared CWE-284, CWE-522
CVE-2024-23733Shared CWE-522

Affected Assets

psu
haxiam
11.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-14 mandates protections for publicly accessible interfaces including authorization verification and restrictions on sensitive information exposure, directly preventing unauthenticated access to the /server-status endpoint.

prevent

AC-3 requires enforcement of approved access authorizations to system resources, blocking unauthenticated queries to the sensitive /server-status endpoint.

prevent

CM-6 enforces secure configuration settings that restrict public access to administrative endpoints like /server-status, aligning with the vulnerability fix in version 25.0.0.

References