PatchSiren

haxtheweb CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46493

CVE-2026-46493 is a HIGH severity vulnerability in HAX CMS, a microsite universe management system. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. This vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].

MEDIUM haxtheweb CVE published 2026-06-05

CVE-2026-46401

CVE-2026-46401 is a MEDIUM severity vulnerability in HAX CMS, a microsite universe management system, which allows attackers to maintain persistent access to authenticated CMS functionality after a user logs out. This is due to an improper session termination mechanism, where authentication tokens remain valid even after logout.

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46400

CVE-2026-46400 is a high-severity vulnerability in HAX CMS, a microsite universe management system. The vulnerability exists in the file upload functionality of HAXCMS PHP, starting from version 11.0.6 and prior to version 25.0.0. The file upload functionality only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicio [truncated]

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46398

CVE-2026-46398 is a HIGH severity vulnerability in HAX CMS, affecting versions starting from 25.0.0 and prior to 26.0.0. The vulnerability arises from the insecure setting of the haxcms_refresh_token cookie, which is transmitted without the Secure flag. This allows the token to be intercepted via packet sniffing on the network, potentially leading to unauthorized access. The issue was fixed in version 26.0.0.

MEDIUM haxtheweb CVE published 2026-06-05

CVE-2026-46397

CVE-2026-46397 is a MEDIUM-severity vulnerability in HAX CMS, a microsite universe management system. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability exists in the saveOutline endpoint. This allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. The vulnerability enables attackers to exfiltrate sensit [truncated]

MEDIUM haxtheweb CVE published 2026-06-05

CVE-2026-46357

CVE-2026-46357 is a vulnerability in the HAX CMS NodeJS application. Prior to version 26.0.0, an authenticated attacker can crash the application by sending a specially crafted site creation request to the createSite endpoint. This can be done with a single request, taking the entire application offline and requiring a manual server restart to restore service. The issue is fixed in version 26.0.0.

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46511

CVE-2026-46511 is a HIGH-severity vulnerability in HAX CMS, a microsite universe management system, which allows an authenticated attacker to perform a complete cross-tenant account takeover. The vulnerability, patched in version 26.0.0, involves an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint.

CRITICAL haxtheweb CVE published 2026-06-05

CVE-2026-46496

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS versions prior to 26.0.0. The vulnerability is caused by improper sanitization of the `<video-player>` component, which allows `javascript:` URIs in the `source` attribute. These URIs are executed when the page is viewed, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser. This allows access to sensi [truncated]

CRITICAL haxtheweb CVE published 2026-06-05

CVE-2026-46399

CVE-2026-46399 is a critical vulnerability in HAX CMS, a microsite universe management system. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.

CRITICAL haxtheweb CVE published 2026-06-05

CVE-2026-46396

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS versions prior to 26.0.0. The vulnerability is caused by improper sanitization of `<iframe>` elements, allowing `javascript:` URIs in the `src` attribute. This enables attackers to execute arbitrary JavaScript in the context of the victim's browser and access sensitive data exposed to client-side scripts. The vulnerability has a CVSS scor [truncated]

CRITICAL haxtheweb CVE published 2026-06-05

CVE-2026-46395

CVE-2026-46395 is a critical vulnerability in HAX CMS, a microsite universe management system with PHP or Node.js backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. These errors allow any unauthenticated attacker to extract the system's private signing key and forge arbitrary admin-level JSON Web Tokens (J [truncated]

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46394

CVE-2026-46394 is an OS command injection vulnerability in the Git.php library of the HAXcms PHP backend. The vulnerability allows an attacker to execute OS commands with the privileges of the web server. This issue can lead to full remote code execution and complete system compromise when combined with another vulnerability that allows configuration manipulation. The vulnerability was patched in version 26.0.0.

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46393

CVE-2026-46393 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in HAX CMS versions prior to 26.0.0. This vulnerability allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Ver [truncated]

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46392

CVE-2026-46392 is a HIGH severity vulnerability in HAX CMS PHP prior to version 26.0.0. The `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim. However, the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. This allows an HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) to be ser [truncated]

HIGH haxtheweb CVE published 2026-06-05

CVE-2026-46391

A vulnerability in HAX CMS, specifically in the @haxtheweb/open-apis package versions 9.0.1 to 25.0.0, allows attackers to capture authentication. The issue arises from multiple functions that conduct substring-only matching to validate hostnames for basic authorization. An attacker can exploit this by appending the matched substrings to an attacker-controlled endpoint, thereby capturing authentication. T [truncated]

MEDIUM haxtheweb CVE published 2026-06-05

CVE-2026-46390

CVE-2026-46390 is a medium-severity vulnerability in HAX CMS, a content management system that helps manage microsite universes with PHP or NodeJs backends. The vulnerability affects versions starting from 2.0.0 and prior to 26.0.0, where the gitlist plugin is exposed to unauthenticated users. This exposure allows unauthenticated browsing of git repositories and git history. The vulnerability has a CVSS s [truncated]

HIGH haxtheweb CVE published 2026-05-29

CVE-2026-48527

A stored cross-site scripting (XSS) vulnerability in HAX CMS allows authenticated users with page editing permissions to bypass the HTML sanitizer by injecting event handler attributes without preceding whitespace. The vulnerability affects versions up to and including 26.0.0 across both PHP and Node.js backends. The issue resides in the `/system/api/saveNode` endpoint, where insufficient input validation [truncated]