These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-46493 is a HIGH severity vulnerability in HAX CMS, a microsite universe management system. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. This vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].
CVE-2026-46401 is a MEDIUM severity vulnerability in HAX CMS, a microsite universe management system, which allows attackers to maintain persistent access to authenticated CMS functionality after a user logs out. This is due to an improper session termination mechanism, where authentication tokens remain valid even after logout.
CVE-2026-46400 is a high-severity vulnerability in HAX CMS, a microsite universe management system. The vulnerability exists in the file upload functionality of HAXCMS PHP, starting from version 11.0.6 and prior to version 25.0.0. The file upload functionality only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicio [truncated]
CVE-2026-46398 is a HIGH severity vulnerability in HAX CMS, affecting versions starting from 25.0.0 and prior to 26.0.0. The vulnerability arises from the insecure setting of the haxcms_refresh_token cookie, which is transmitted without the Secure flag. This allows the token to be intercepted via packet sniffing on the network, potentially leading to unauthorized access. The issue was fixed in version 26.0.0.
CVE-2026-46397 is a MEDIUM-severity vulnerability in HAX CMS, a microsite universe management system. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability exists in the saveOutline endpoint. This allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. The vulnerability enables attackers to exfiltrate sensit [truncated]
CVE-2026-46357 is a vulnerability in the HAX CMS NodeJS application. Prior to version 26.0.0, an authenticated attacker can crash the application by sending a specially crafted site creation request to the createSite endpoint. This can be done with a single request, taking the entire application offline and requiring a manual server restart to restore service. The issue is fixed in version 26.0.0.
CVE-2026-46511 is a HIGH-severity vulnerability in HAX CMS, a microsite universe management system, which allows an authenticated attacker to perform a complete cross-tenant account takeover. The vulnerability, patched in version 26.0.0, involves an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint.
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS versions prior to 26.0.0. The vulnerability is caused by improper sanitization of the `<video-player>` component, which allows `javascript:` URIs in the `source` attribute. These URIs are executed when the page is viewed, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser. This allows access to sensi [truncated]
CVE-2026-46399 is a critical vulnerability in HAX CMS, a microsite universe management system. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS versions prior to 26.0.0. The vulnerability is caused by improper sanitization of `<iframe>` elements, allowing `javascript:` URIs in the `src` attribute. This enables attackers to execute arbitrary JavaScript in the context of the victim's browser and access sensitive data exposed to client-side scripts. The vulnerability has a CVSS scor [truncated]
CVE-2026-46395 is a critical vulnerability in HAX CMS, a microsite universe management system with PHP or Node.js backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. These errors allow any unauthenticated attacker to extract the system's private signing key and forge arbitrary admin-level JSON Web Tokens (J [truncated]
CVE-2026-46394 is an OS command injection vulnerability in the Git.php library of the HAXcms PHP backend. The vulnerability allows an attacker to execute OS commands with the privileges of the web server. This issue can lead to full remote code execution and complete system compromise when combined with another vulnerability that allows configuration manipulation. The vulnerability was patched in version 26.0.0.
CVE-2026-46393 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in HAX CMS versions prior to 26.0.0. This vulnerability allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Ver [truncated]
CVE-2026-46392 is a HIGH severity vulnerability in HAX CMS PHP prior to version 26.0.0. The `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim. However, the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. This allows an HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) to be ser [truncated]
A vulnerability in HAX CMS, specifically in the @haxtheweb/open-apis package versions 9.0.1 to 25.0.0, allows attackers to capture authentication. The issue arises from multiple functions that conduct substring-only matching to validate hostnames for basic authorization. An attacker can exploit this by appending the matched substrings to an attacker-controlled endpoint, thereby capturing authentication. T [truncated]
CVE-2026-46390 is a medium-severity vulnerability in HAX CMS, a content management system that helps manage microsite universes with PHP or NodeJs backends. The vulnerability affects versions starting from 2.0.0 and prior to 26.0.0, where the gitlist plugin is exposed to unauthenticated users. This exposure allows unauthenticated browsing of git repositories and git history. The vulnerability has a CVSS s [truncated]
A stored cross-site scripting (XSS) vulnerability in HAX CMS allows authenticated users with page editing permissions to bypass the HTML sanitizer by injecting event handler attributes without preceding whitespace. The vulnerability affects versions up to and including 26.0.0 across both PHP and Node.js backends. The issue resides in the `/system/api/saveNode` endpoint, where insufficient input validation [truncated]