PatchSiren cyber security CVE debrief
CVE-2026-46391 haxtheweb CVE debrief
A vulnerability in HAX CMS, specifically in the @haxtheweb/open-apis package versions 9.0.1 to 25.0.0, allows attackers to capture authentication. The issue arises from multiple functions that conduct substring-only matching to validate hostnames for basic authorization. An attacker can exploit this by appending the matched substrings to an attacker-controlled endpoint, thereby capturing authentication. This vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
- Vendor
- haxtheweb
- Product
- @haxtheweb/open-apis
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of HAX CMS, specifically those using @haxtheweb/open-apis versions 9.0.1 to 25.0.0, should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by substring-only matching in multiple functions used for validating hostnames to which basic authorization should be sent. This allows an attacker to append the matched substrings to an attacker-controlled endpoint and capture authentication.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to version 26.0.0 of @haxtheweb/open-apis to fix the issue.
- Review and update configurations to ensure that only authorized endpoints are used for basic authorization.
Evidence notes
The vulnerability is confirmed by the CVE record and details from the NVD.
Official resources
-
CVE-2026-46391 CVE record
CVE.org
-
CVE-2026-46391 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46391 was published on 2026-06-05T19:16:33.007Z and modified on 2026-06-08T17:16:50.563Z.