CVE-2026-46393
published 2026-06-05CVE-2026-46393: HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to…
PriorityP341high7.1CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.24%
14.7th percentile
HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | < 26.0.0 | 26.0.0 |
| haxtheweb | haxcms-nodejs | >= 0 < 26.0.0 | 26.0.0 |
| haxtheweb | haxcms-php | < 26.0.0 | 26.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
haxtheweb haxcms-nodejs/haxcms-php up to 25.x server-side request forgery (GHSA-q862-gcgq-5m6g)
vuldb·2026-06-06·CVSS 7.1
CVE-2026-46393 [HIGH] haxtheweb haxcms-nodejs/haxcms-php up to 25.x server-side request forgery (GHSA-q862-gcgq-5m6g)
A vulnerability classified as critical was found in haxtheweb haxcms-nodejs and haxcms-php up to 25.x. This vulnerability affects unknown code. Executing a manipulation can lead to server-side request forgery.
This vulnerability appears as CVE-2026-46393. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
GHSA
HAXcms createSite SSRF Enables Arbitrary File Read
ghsa·2026-05-19
CVE-2026-46393 [HIGH] CWE-918 HAXcms createSite SSRF Enables Arbitrary File Read
HAXcms createSite SSRF Enables Arbitrary File Read
### Summary
An authenticated Server-Side Request Forgery (SSRF) vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.
### Details
The `createSite` endpoint in HAXcms (v11.0.6) accepts a `build.files` parameter that allows an authenticated user to supply arbitrary URLs or local file paths. This input is processed without validation and ultimately fetched server-side using `file_get_contents()`.
The data flow is as follows:
- User input (`build.files`) is processed via `object_to_array()` into a PHP array
- Assigned to `$filesToDownload` in `Operations.php` (line 2626)
- Iterated over in `Operation
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-46393 ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing [epel-9]
bugzilla·2025-04-24·CVSS 5.3
CVE-2025-46393 [MEDIUM] CVE-2025-46393 ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing [epel-9]
CVE-2025-46393 ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing [epel-9]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2361888
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-2d971fc3b0 (ImageMagick-6.9.13.49-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-2d971fc3b0
---
FEDORA-EPEL-2026-fb9a9ab1e9 has been pushed to the Fedora EPEL 8 testing repository.
You can provide feedback for this update
Bugzilla
CVE-2025-46393 ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing [epel-8]
bugzilla·2025-04-24·CVSS 5.3
CVE-2025-46393 [MEDIUM] CVE-2025-46393 ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing [epel-8]
CVE-2025-46393 ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing [epel-8]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2361888
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-2d971fc3b0 (ImageMagick-6.9.13.49-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-2d971fc3b0
---
FEDORA-EPEL-2026-fb9a9ab1e9 (ImageMagick-6.9.13.49-1.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedor
2026-06-05
Published