PatchSiren cyber security CVE debrief
CVE-2026-46397 haxtheweb CVE debrief
CVE-2026-46397 is a MEDIUM-severity vulnerability in HAX CMS, a microsite universe management system. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability exists in the saveOutline endpoint. This allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. The vulnerability enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data).
- Vendor
- haxtheweb
- Product
- haxcms-php
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of HAX CMS, especially those with low-privileged user accounts, should be aware of this vulnerability. System administrators and security teams responsible for managing and securing microsite universes using HAX CMS should prioritize patching to version 26.0.0 or later.
Technical summary
The vulnerability has a CVSS score of 6.5 and is classified as CWE-22 and CWE-73. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited over the network (AV:N), requires low attack complexity (AC:L) and privileges (PR:L), and can result in high confidentiality impact (C:H).
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade HAX CMS to version 26.0.0 or later to patch the vulnerability.
- Review and restrict access to the saveOutline endpoint to ensure only authorized users can manipulate the location field.
- Monitor for suspicious activity related to file inclusion and exfiltration attempts.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. A source reference [ref-4] is available on GitHub, detailing the security advisory.
Official resources
-
CVE-2026-46397 CVE record
CVE.org
-
CVE-2026-46397 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46397 was published on 2026-06-05T20:17:33.747Z and modified on 2026-06-08T17:16:50.823Z.