CVE-2026-46493
Description
HAX CMS versions prior to 26.0.1 use a predictable uniqid for generating salts, allowing attackers to potentially compromise security.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS versions prior to 26.0.1 use a predictable `uniqid` for generating salts, allowing attackers to potentially compromise security.
Vulnerability
HAX CMS versions prior to 26.0.1 generate security salts using the uniqid function. This function is not cryptographically secure and can produce predictable outputs, making it unsuitable for generating sensitive security tokens like salts. The issue is present in the install.php script [1].
Exploitation
An attacker could exploit this vulnerability by leveraging the predictable nature of the uniqid function to guess or determine the salts used by the HAX CMS instance. This would likely require the attacker to have some level of access to the system or to be able to trigger the installation or configuration process where these salts are generated. The exact steps would depend on how the salts are used and protected within the application's logic.
Impact
By predicting or obtaining the salts, an attacker could potentially bypass security mechanisms that rely on these salts for data integrity or authentication. This could lead to unauthorized access, modification of sensitive data, or other security compromises within the HAX CMS environment, depending on how the salts are implemented and utilized by the application [3].
Mitigation
HAX CMS version 26.0.1 addresses this vulnerability by replacing the use of uniqid with a more secure method using random_bytes for salt generation [2]. Users are advised to update to version 26.0.1 or later to mitigate this risk. No workarounds are available for older versions.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <26.0.1
Patches
13 files changed · +15 −11
build/es6/node_modules/@haxtheweb/app-hax/lib/app-hax-theme.js+3 −6 modified@@ -607,20 +607,17 @@ import{html as t,css as e,unsafeCSS as o}from"../../../lit/index.js";import{HAXC } .version { position: fixed; - left: 0; + right: 0; bottom: 0; background-color: var(--simple-colors-default-theme-yellow-6); display: inline-block; - padding: 8px; + padding: 4px; + font-size: var(--ddd-font-size-4xs); color: var(--simple-colors-default-theme-grey-12); - border-right: 3px solid var(--simple-colors-default-theme-grey-12); - border-top: 3px solid var(--simple-colors-default-theme-grey-12); } body.dark-mode .version { background-color: var(--simple-colors-default-theme-yellow-8); color: var(--simple-colors-default-theme-grey-1); - border-right: 3px solid var(--simple-colors-default-theme-grey-1); - border-top: 3px solid var(--simple-colors-default-theme-grey-1); } simple-modal::part(title) { background-color: transparent;
build/es6/node_modules/@haxtheweb/la-tex/lib/latex2html5.js+1 −1 modifiedinstall.php+11 −4 modified@@ -141,6 +141,13 @@ <?php include_once 'system/backend/php/lib/Git.php'; // add git library + $generateSecureSecret = function () { + $parts = array(); + for ($i = 0; $i < 4; $i++) { + $parts[] = bin2hex(random_bytes(16)); + } + return implode('-', $parts); + }; if (!is_dir('_config')) { // gotta config some place now don't we if (!mkdir('_config')) { @@ -187,21 +194,21 @@ // set SALT file_put_contents( '_config/SALT.txt', - uniqid() . '-' . uniqid() . '-' . uniqid() . '-' . uniqid() + $generateSecureSecret() ); // set things in config file from the norm $configFile = file_get_contents('_config/config.php'); // private key $configFile = str_replace( 'HAXTHEWEBPRIVATEKEY', - uniqid() . '-' . uniqid() . '-' . uniqid() . '-' . uniqid(), + $generateSecureSecret(), $configFile ); // refresh private key $configFile = str_replace( 'HAXTHEWEBREFRESHPRIVATEKEY', - uniqid() . '-' . uniqid() . '-' . uniqid() . '-' . uniqid(), + $generateSecureSecret(), $configFile ); // user @@ -225,7 +232,7 @@ $pass = array(); //remember to declare $pass as an array $alphaLength = strlen($alphabet) - 1; //put the length -1 in cache for ($i = 0; $i < 12; $i++) { - $n = rand(0, $alphaLength); + $n = random_int(0, $alphaLength); $pass[] = $alphabet[$n]; } $pass = implode($pass);
Vulnerability mechanics
Root cause
"The use of `uniqid` for generating security-sensitive salts and private keys results in predictable and weak values."
Attack vector
An unauthenticated attacker can exploit this vulnerability by triggering the application to generate new salts and private keys. The predictable nature of the `uniqid` function allows an attacker to guess or determine these values. This can lead to a compromise of the application's security, potentially allowing unauthorized access or manipulation of data [ref_id=1].
Affected code
The vulnerability lies in the file treebuild/es6/node_modules/@haxtheweb/haxcms-php/config.php, specifically in how it generates and assigns values for `SALT.txt`, `HAXTHEWEBPRIVATEKEY`, and `HAXTHEWEBREFRESHPRIVATEKEY`. The code previously used `uniqid()` multiple times to generate these values [ref_id=1].
What the fix does
The patch replaces the use of `uniqid` with a cryptographically secure random number generator, `random_bytes`, to create salts and private keys [patch_id=4938655]. This change ensures that the generated secrets are unpredictable and sufficiently random, mitigating the risk of them being guessed or brute-forced by an attacker. The `generateSecureSecret` function now uses `bin2hex(random_bytes(16))` to create more robust secret values [ref_id=1].
Preconditions
- authNo authentication is required to trigger the vulnerability.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026Vypr Intelligence · Jun 5, 2026