CVE-2026-46357
published 2026-06-05CVE-2026-46357: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated…
PriorityP334medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.24%
14.9th percentile
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service. Version 26.0.0 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | < 26.0.0 | 26.0.0 |
| haxtheweb | haxcms-nodejs | >= 0 < 26.0.0 | 26.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
haxtheweb haxcms-nodejs up to 25.x createSite Endpoint denial of service (GHSA-9r33-xhw8-4qqp)
vuldb·2026-06-06·CVSS 6.5
CVE-2026-46357 [MEDIUM] haxtheweb haxcms-nodejs up to 25.x createSite Endpoint denial of service (GHSA-9r33-xhw8-4qqp)
A vulnerability, which was classified as problematic, has been found in haxtheweb haxcms-nodejs up to 25.x. Affected by this issue is some unknown functionality of the component createSite Endpoint. Performing a manipulation results in denial of service.
This vulnerability is known as CVE-2026-46357. Remote exploitation of the attack is possible. No exploit is available.
It is advisable to upgrade the affected component.
GHSA
HAX CMS: Denial of Service using Malicious Import Request
ghsa·2026-05-19
CVE-2026-46357 [MEDIUM] CWE-476 HAX CMS: Denial of Service using Malicious Import Request
HAX CMS: Denial of Service using Malicious Import Request
### Summary
The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.
### Details
The `createSite` remote import flow does **not** complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.
The crash occurs because `createSite` passes a file object without `originalname`, while `HAXCMSFile.save()` immediately dereferences `tmpFile.originalname.replace(...)`.
As a result:
- the request reaches privileged code inside `createSite`
- the server hits the remote file handling path
- the proces
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-05
Published