PatchSiren cyber security CVE debrief

CVE-2026-46398 haxtheweb CVE debrief

CVE-2026-46398 is a HIGH severity vulnerability in HAX CMS, affecting versions starting from 25.0.0 and prior to 26.0.0. The vulnerability arises from the insecure setting of the haxcms_refresh_token cookie, which is transmitted without the Secure flag. This allows the token to be intercepted via packet sniffing on the network, potentially leading to unauthorized access. The issue was fixed in version 26.0.0.

Vendor: haxtheweb
Product: haxcms-php
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-05
Advisory published: 2026-06-05
Advisory updated: 2026-06-05

Who should care

Users of HAX CMS, particularly those who have upgraded to version 25.0.0 but not yet to 26.0.0, should be aware of this vulnerability and take immediate action to secure their installations.

Technical summary

The haxcms_refresh_token cookie is set without the Secure flag in HAX CMS versions 25.0.0 through 25.x.x. This insecure setting allows the cookie to be transmitted over unencrypted HTTP, making it vulnerable to interception via packet sniffing. An attacker could exploit this vulnerability to steal the refresh token, potentially gaining unauthorized access to the system.

Defensive priority

HIGH

Recommended defensive actions

Upgrade to HAX CMS version 26.0.0 or later to fix the issue.
Ensure that all communications with the HAX CMS system are made over HTTPS to mitigate the risk of token interception.
Review and update security configurations to prevent unauthorized access.

Evidence notes

The CVE-2026-46398 vulnerability was publicly disclosed on [cvePublishedAt]. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. For more information, refer to resourceLinkAnnotations: [cve-org], [nvd], and [ref-4].

Official resources

CVE-2026-46398 was published on 2026-06-05T20:17:33.910Z and modified on 2026-06-05T20:48:21.200Z.