HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026
Fifteen vulnerabilities affecting HAX CMS were disclosed on June 5, 2026, ranging from critical to medium severity, impacting both PHP and Node.js backends.
Key findings
- Fifteen HAX CMS vulnerabilities disclosed together on June 5, 2026.
- Critical flaws include RCE via file overwrite and private key extraction.
- Stored XSS vulnerabilities affect video players and iframes.
- File upload, LFI, and SSRF vulnerabilities impact authenticated users.
- Improper session termination and insecure cookie handling noted.
- All issues addressed in HAX CMS version 26.0.1.
HAX CMS Plagued by 15 Vulnerabilities Disclosed in Single Batch
On June 5, 2026, a significant batch of fifteen vulnerabilities was disclosed for HAX CMS, a platform used for managing microsite universes with PHP or Node.js backends. The vulnerabilities, disclosed within a one-hour window, span a range of severities from critical to medium, highlighting a broad set of security weaknesses within the platform. The disclosures include issues such as stored cross-site scripting (XSS), file upload vulnerabilities, improper session termination, and cryptographic implementation errors, impacting versions prior to 26.0.0 and in some cases, specific earlier versions.
Critical Vulnerabilities Uncovered
A cluster of critical vulnerabilities demands immediate attention. CVE-2026-46395, affecting the HAXcms Node.js backend, contains critical cryptographic implementation errors in the hmacBase64() function. These errors allow unauthenticated attackers to extract the system's private signing key and forge arbitrary signatures, potentially leading to complete system compromise. Additionally, CVE-2026-46396, a stored cross-site scripting (XSS) vulnerability, arises from improper sanitization of <iframe> elements, allowing javascript: URIs in the src attribute to execute malicious code when a compromised page is viewed. Another critical flaw, CVE-2026-46399, found in the PHP version of HAX CMS, is an authenticated file overwrite vulnerability that can lead to code execution on the server by configuring malicious Git filter commands. Finally, CVE-2026-46496, a stored XSS vulnerability in the <video-player> component, allows javascript: URIs in the source attribute due to improper sanitization, posing a significant risk.
High Severity Flaws in File Handling and Authentication
Several high-severity vulnerabilities also emerged, primarily concerning file handling and authentication mechanisms. CVE-2026-46392, a high-severity flaw in HAX CMS PHP, allows authenticated users to upload malicious files by bypassing extension validation and exploiting case-insensitive .htaccess rules. Similarly, CVE-2026-46393 presents an authenticated Server-Side Request Forgery (SSRF) vulnerability, enabling authenticated users to read arbitrary files on the server by fetching internal resources and writing responses to a web-accessible directory. CVE-2026-46391, affecting @haxtheweb/open-apis, involves substring-only hostname validation in basic authorization functions, allowing attackers to bypass security checks by appending matched substrings. CVE-2026-46493, rated High, points to the use of uniqid for generating salts, which is deemed unsuitable for security purposes. CVE-2026-46398 highlights that the haxcms_refresh_token cookie is set without the Secure flag, making it vulnerable to theft over unencrypted HTTP.
Medium Severity Issues and Session Management
Medium severity vulnerabilities include CVE-2026-46401, an improper session termination vulnerability where authentication tokens remain valid after logout, allowing persistent access for attackers who obtain them. CVE-2026-46400, a file upload vulnerability in HAXCMS PHP, allows attackers to upload malicious files by only validating file extensions via regex without checking MIME types or file content. CVE-2026-46357, a denial-of-service vulnerability in the HAX CMS NodeJS application, occurs when an authenticated attacker sends a specially crafted site creation request, causing the application to crash. CVE-2026-46397, an authenticated Local File Inclusion (LFI) vulnerability in the saveOutline endpoint, allows low-privileged users to read arbitrary files by manipulating the location field. Lastly, CVE-2026-46390, affecting the gitlist plugin, exposes git repositories and history to unauthenticated users.
Patching and Mitigation
HAX CMS has addressed these vulnerabilities with the release of version 26.0.1, which includes fixes for all disclosed issues. Users are strongly advised to update to version 26.0.1 or later to mitigate these risks. For specific issues, earlier versions like 26.0.0, 11.0.6, 9.0.1, and 2.0.0 are mentioned as being affected, with patches applied in subsequent releases. The vendor's advisories and release notes for version 26.0.1 should be consulted for detailed information on the fixes.
Conclusion
This coordinated disclosure of fifteen vulnerabilities underscores the importance of timely patching and security updates for HAX CMS users. The breadth of issues, including critical remote code execution and account takeover possibilities, necessitates prompt action. Staying updated with the latest security advisories from Haxtheweb is crucial for maintaining the integrity and security of HAX CMS deployments.