Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.
Published: 2026-06-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authenticated users can exploit a Server‑Side Request Forgery in HAX CMS versions earlier than 26.0.0, allowing them to fetch any internal or local resource and write the response into a web‑accessible directory. This results in arbitrary file read and potential internal network access, and is rooted in CWE‑918 (Server‑Side Request Forgery).

Affected Systems

The vulnerability affects HAX CMS deployments backed by the Node.js and PHP implementations provided by haxtheweb. All releases prior to 26.0.0 are vulnerable; version 26.0.0 contains a fix.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity vulnerability. EPSS information is not available and the issue is not listed in the CISA KEV catalog. Exploitation requires valid authentication to the CMS; once authenticated, an attacker can target internal services or files via the createSite endpoint. The risk remains elevated until the fix is applied.

Generated by OpenCVE AI on June 5, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS Node.js and PHP backends to version 26.0.0 or later.
  • Remove or restrict user roles that have permission to invoke the createSite endpoint to minimize exposure.
  • Enforce strict file‑write permissions so that files written by the CMS cannot be accessed by unintended parties.

Generated by OpenCVE AI on June 5, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q862-gcgq-5m6g HAXcms createSite SSRF Enables Arbitrary File Read
History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-nodejs
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-nodejs
Haxtheweb haxcms-php

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.
Title HAXcms createSite SSRF Enables Arbitrary File Read
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Haxtheweb Haxcms-nodejs Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T18:24:49.719Z

Reserved: 2026-05-13T19:53:47.923Z

Link: CVE-2026-46393

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:33.303

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-46393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses