Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper session expiration flaw that allows authentication tokens to remain valid after the user logs out. An attacker who obtains a valid token can therefore continue to access the CMS, including administrative functions and metadata, beyond the intended session lifetime. The flaw directly maps to CWE-613, which concerns failures to properly terminate sessions.

Affected Systems

All HAX CMS deployments built before version 26.0.0 from haxtheweb are affected. The issue was addressed in the 26.0.0 release, so any instance running an earlier patch level may be exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector implicitly requires an attacker to first acquire a valid session token, typically through credential compromise or another pre‑existing vulnerability. Once a token is obtained, the attacker can maintain persistent authenticated access without needing to re‑authenticate, thereby elevating the risk of unauthorized data exposure or configuration changes.

Generated by OpenCVE AI on June 5, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS to version 26.0.0 or later
  • Ensure session tokens are revoked on logout by implementing server‑side expiration logic
  • Periodically audit and monitor session usage to detect stale or invalidated sessions

Generated by OpenCVE AI on June 5, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue.
Title HAX CMS PHP has Insufficient Session Expiration
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:18:05.286Z

Reserved: 2026-05-13T21:04:10.932Z

Link: CVE-2026-46401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T20:17:34.247

Modified: 2026-06-05T20:48:21.200

Link: CVE-2026-46401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses