Medium severityNVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-46390

Description

HAX CMS gitlist plugin exposes git repositories and history to unauthenticated users, potentially revealing secrets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HAX CMS gitlist plugin exposes git repositories and history to unauthenticated users, potentially revealing secrets.

Vulnerability

Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin in HAX CMS is exposed to unauthenticated users. Git repositories are indexed by the username of the site owner, allowing an attacker to modify a GET request URL and access git repositories and their history belonging to a specific user. This endpoint does not require authentication [1].

Exploitation

An attacker needs to know or guess a User ID. They can then navigate to the //gitlist/ endpoint to access the git repositories and history of that user without any authentication [1].

Impact

An unauthenticated attacker can view the source code of git repositories and the entire git history. This can expose secrets or other confidential information that was not intended for public access, potentially empowering future attacks through code review [1].

Mitigation

Version 26.0.0 patches this issue. Users should update to version 26.0.0 or later. The release date for version 26.0.0 is not specified in the available references [1].

References

Unauthenticated Git Access via User-Controlled Key

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Haxtheweb/Haxcmsinferred
Range: >=2.0.0,<26.0.0
Haxtheweb/issuesllm-create
Range: >=2.0.0 <26.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The gitlist plugin allows unauthenticated access to git repositories and history."

Attack vector

An unauthenticated attacker can exploit this vulnerability by knowing a User ID on the HAX CMS instance. The attacker modifies the URL of a GET request to include the User ID and the gitlist endpoint, such as `/<User ID>/gitlist/`. This allows them to browse git repositories and their history without any authentication [ref_id=1].

Affected code

The gitlist plugin is directly responsible for this vulnerability. The advisory indicates that the plugin is exposed to unauthenticated users, allowing unauthorized access to git repositories and their history [ref_id=1].

What the fix does

Version 26.0.0 of HAX CMS addresses this vulnerability by implementing authentication checks for the gitlist plugin. This ensures that only authenticated users can access git repositories and their history, preventing unauthorized browsing and exposure of sensitive information [ref_id=1].

Preconditions

authThe attacker must be unauthenticated.
inputThe attacker must know a valid User ID on the HAX CMS instance.

Reproduction

Navigate to the `/<User ID>/gitlist/` endpoint to confirm exposure of git repositories. Confirm git repositories are accessible without authentication. Confirm git history is accessible without authentication [ref_id=1].

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/haxtheweb/issues/security/advisories/GHSA-6434-8rch-w65cnvd

News mentions

HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026
Vypr Intelligence · Jun 5, 2026

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000