PatchSiren cyber security CVE debrief
CVE-2026-46393 haxtheweb CVE debrief
CVE-2026-46393 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in HAX CMS versions prior to 26.0.0. This vulnerability allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Version 26.0.0 of HAX CMS contains a fix for this vulnerability.
- Vendor
- haxtheweb
- Product
- haxcms-nodejs
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of HAX CMS versions prior to 26.0.0 should apply the patch in version 26.0.0 to prevent exploitation of this vulnerability.
Technical summary
The vulnerability is caused by an authenticated SSRF issue in HAX CMS, which allows users to make requests to internal or local resources and write the responses to a web-accessible directory.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch in version 26.0.0 of HAX CMS to fix the vulnerability.
- Restrict access to the HAX CMS system to only trusted users.
Evidence notes
The CVE record for CVE-2026-46393 can be found at [cve-org]. The NVD detail for CVE-2026-46393 can be found at [nvd]. Additional information can be found in the source reference at [ref-4].
Official resources
-
CVE-2026-46393 CVE record
CVE.org
-
CVE-2026-46393 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46393 was published on 2026-06-05T19:16:33.303Z and modified on 2026-06-08T17:16:50.713Z.