The vulnerability resides in the HAX CMS NodeJS backend before version 26.0.0. An authenticated attacker can send a single, specially crafted request to the createSite endpoint, triggering an unhandled exception that crashes the application. The crash terminates all processes related to the CMS, making the site and associated services unavailable until a server restart is performed. The weakness is a failure to validate and properly process input data, as identified by CWE-20. The result is a denial‑of‑service scenario in which legitimate users lose access to the CMS.

Systems running the HAX CMS NodeJS application with a version earlier than 26.0.0 are affected. The vendor product, HAX CMS by Haxtheweb, uses a NodeJS backend that includes the createSite endpoint. The advisory specifies that upgrading to version 26.0.0 resolves the issue. No other product variants were reported, and the vulnerability is limited to the NodeJS component of the CMS.

The CVSS score of 6.5 reflects moderate severity, and the EPSS score is not available, so the probability of exploitation cannot be quantified from the available data. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user, implying that compromised credentials or membership of a privileged role are prerequisites. Once the malicious request is received, the application crashes immediately, silently dropping all services. Because the attack can be performed with a single request, the risk of disruption is high for exposed services lacking proper access control or rate limiting on the createSite endpoint.