PatchSiren cyber security CVE debrief
CVE-2026-46390 haxtheweb CVE debrief
CVE-2026-46390 is a medium-severity vulnerability in HAX CMS, a content management system that helps manage microsite universes with PHP or NodeJs backends. The vulnerability affects versions starting from 2.0.0 and prior to 26.0.0, where the gitlist plugin is exposed to unauthenticated users. This exposure allows unauthenticated browsing of git repositories and git history. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. The issue was patched in version 26.0.0.
- Vendor
- haxtheweb
- Product
- haxcms-php
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-09
Who should care
Users of HAX CMS, particularly those using versions between 2.0.0 and 26.0.0, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The gitlist plugin in HAX CMS is exposed to unauthenticated users, allowing them to browse git repositories and git history without authentication. This vulnerability is identified as CWE-639.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to version 26.0.0 or later to patch the vulnerability.
- Restrict access to the gitlist plugin to authenticated users only.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. A source reference [ref-4] is also available on GitHub.
Official resources
-
CVE-2026-46390 CVE record
CVE.org
-
CVE-2026-46390 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46390 was published on 2026-06-05T19:16:32.863Z and modified on 2026-06-09T16:16:41.953Z.