Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
Published: 2026-06-05
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The haxcms_refresh_token cookie is set without the Secure flag in HAX CMS versions 25.0.0 through 25.x.x, exposing the token to transmission over unencrypted HTTP. This vulnerability allows an attacker who can sniff network traffic to capture the refresh token, potentially hijacking a user’s session and gaining unauthorized access to the CMS. The flaw is an instance of CWE-614, which concerns improper management of user credentials stored in cookies.

Affected Systems

HAX CMS running on a PHP backend from haxtheweb, specifically any release from version 25.0.0 up to but not including 26.0.0. Versions 26.0.0 and newer are not affected by this issue.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity; although no EPSS score is available, the absence of a KEV listing does not diminish the risk of exploitation. The likely attack vector is intercepting the haxcms_refresh_token cookie over an unsecured HTTP connection. An attacker who controls or monitors an unencrypted HTTP connection can easily intercept the cookie, and because the token is a refresh token, the hijacked session can potentially be used to obtain long‑term access. The vulnerability is likely exploitable by anyone able to observe traffic to the site, making the threat surface quite broad in environments where HTTPS is not enforced.

Generated by OpenCVE AI on June 5, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS to version 26.0.0 or later to eliminate the insecure cookie setting.
  • Configure the web server or PHP application to serve the haxcms_refresh_token cookie with the Secure flag and only over HTTPS, ensuring it is not transmitted on unencrypted connections.
  • Enforce HTTPS sitewide, possibly via HSTS or redirecting all HTTP traffic to HTTPS, to protect the cookie from sniffing in the network.

Generated by OpenCVE AI on June 5, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-php

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
Title HAX CMS Missing Secure Flag on Cookie
Weaknesses CWE-614
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Haxtheweb Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:42:51.426Z

Reserved: 2026-05-13T21:04:10.931Z

Link: CVE-2026-46398

cve-icon Vulnrichment

Updated: 2026-06-05T19:42:47.712Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T20:17:33.910

Modified: 2026-06-05T20:48:21.200

Link: CVE-2026-46398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:15:05Z

Weaknesses