Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue.
Published: 2026-06-05
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in haxcms‑php stems from the use of PHP's uniqid() function to generate salts for stored passwords. uniqid() produces pseudo‑random, time‑based identifiers that are predictable and not cryptographically strong. An attacker who can obtain or guess these salts could pre‑compute hash tables or mount brute‑force attacks against user passwords, possibly gaining unauthorized access. This weakness is identified as CWE‑338, a weakness in cryptographic key generation.

Affected Systems

Affected software is haxtheweb’s haxcms‑php. Any instance running a version earlier than 26.0.1 is vulnerable. The updated release 26.0.1 replaces the salt generation with a secure random method, removing the risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is not available, making it unclear how frequently this is exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented widespread exploitation. The likely attack vector involves remote authentication attempts after the salt is known or can be approximated. If an attacker already has the salts or can extract them via other vulnerabilities, they can more easily crack stored passwords. The criticality is mitigated by the update in version 26.0.1, which addresses the flaw.

Generated by OpenCVE AI on June 5, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to haxcms‑php 26.0.1 or newer to replace the insecure salt generation.
  • Force users to reset passwords to regenerate salts with the improved algorithm, or re‑hash existing credentials if possible.
  • Verify that no code paths still use uniqid() for salt generation; audit configuration and custom plugin code for potential weaknesses.

Generated by OpenCVE AI on June 5, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-php

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue.
Title haxtheweb/haxcms-php uses insecure method for generating salt
Weaknesses CWE-338
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Haxtheweb Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:42:36.270Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46493

cve-icon Vulnrichment

Updated: 2026-06-05T19:42:28.175Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T20:17:34.490

Modified: 2026-06-05T20:48:21.200

Link: CVE-2026-46493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses