CVE-2026-46398
Description
HAX CMS versions prior to 26.0.0 are vulnerable to session hijacking due to the haxcms_refresh_token cookie lacking the Secure flag.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS versions prior to 26.0.0 are vulnerable to session hijacking due to the haxcms_refresh_token cookie lacking the Secure flag.
Vulnerability
Starting in version 25.0.0 and prior to version 26.0.0, HAX CMS sets the haxcms_refresh_token cookie without the Secure flag. This vulnerability exists in the system/backend/php/lib/Operations.php file [1].
Exploitation
An attacker on the same network as a victim can intercept network traffic and steal the haxcms_refresh_token cookie if the victim accesses the HAX CMS application over an unencrypted HTTP connection. This can be achieved through packet sniffing [1].
Impact
Successful exploitation allows an attacker to hijack the victim's session by using the stolen haxcms_refresh_token cookie, potentially gaining unauthorized access to the HAX CMS application with the victim's privileges [1].
Mitigation
Version 26.0.0 addresses this issue by setting the Secure flag to true for the haxcms_refresh_token cookie [1]. It is recommended to enforce HTTPS for all connections and consider adding the SameSite attribute to cookies [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026Vypr Intelligence · Jun 5, 2026