Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated access to the gitlist plugin in HAX CMS versions 2.0.0 through 25.x permits an attacker to view the entire repository and commit history. The exposure allows disclosure of source code, configuration files, and other sensitive data that should be protected, representing a classic authorisation bypass (CWE‑639).

Affected Systems

The vulnerability affects HAX CMS for PHP distributed by HaxTheWeb. All releases from 2.0.0 up to, but not including, 26.0.0 are impacted; version 26.0.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Because the issue provides direct read access to source code without authentication, exploitation is straightforward for anyone who can reach the CMS over the network. EPSS data is not available, and the vulnerability is not listed in CISA KEV. While it does not grant code execution, the information obtained can facilitate subsequent attacks such as credential theft or the development of more targeted exploits.

Generated by OpenCVE AI on June 5, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS to version 26.0.0 or later, which removes the exposed gitlist plugin
  • Verify that no custom or legacy configuration re‑enables gitlist access and review any feature flags that might expose repository data
  • Limit network exposure of the CMS by placing it behind a firewall or VPN until the patch is applied

Generated by OpenCVE AI on June 5, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-php

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.
Title HAX CMS has Unauthenticated Git Access via User-Controlled Key
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Haxtheweb Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T18:16:17.100Z

Reserved: 2026-05-13T19:53:47.922Z

Link: CVE-2026-46390

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:32.863

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-46390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses