PatchSiren cyber security CVE debrief
CVE-2026-46357 haxtheweb CVE debrief
CVE-2026-46357 is a vulnerability in the HAX CMS NodeJS application. Prior to version 26.0.0, an authenticated attacker can crash the application by sending a specially crafted site creation request to the createSite endpoint. This can be done with a single request, taking the entire application offline and requiring a manual server restart to restore service. The issue is fixed in version 26.0.0.
- Vendor
- haxtheweb
- Product
- haxcms-nodejs
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-09
Who should care
Users of HAX CMS NodeJS application, particularly those using versions prior to 26.0.0, should be aware of this vulnerability and take steps to update to the latest version.
Technical summary
The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. This is due to a vulnerability that can be exploited with a single request, resulting in a denial of service. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 26.0.0 or later to fix the issue.
- Restrict access to the createSite endpoint to prevent unauthorized requests.
Evidence notes
The vulnerability is described in the CVE record [cve-org] and detailed in the NVD [nvd]. A security advisory is also available [ref-4].
Official resources
-
CVE-2026-46357 CVE record
CVE.org
-
CVE-2026-46357 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46357 was published on 2026-06-05T20:17:33.190Z and modified on 2026-06-09T16:16:41.843Z.