cbcvebase.

Haxtheweb Haxcms-Php vulnerabilities

11 known vulnerabilities affecting haxtheweb/haxcms-php.

Total CVEs
11
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-46399P3CRITICALCVSS 9.4fixed in 26.0.02026-06-05
CVE-2026-46399 [CRITICAL] CWE-15 CVE-2026-46399: HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prio HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
nvd
CVE-2026-46394P3HIGHCVSS 7.7fixed in 26.0.02026-06-05
CVE-2026-46394 [HIGH] CWE-78 CVE-2026-46394: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via proc_open(). An attacker who can control parameters passed into Git ope
nvd
CVE-2026-46400P3HIGHCVSS 8.7v>= 11.0.6, < 25.0.02026-06-05
CVE-2026-46400 [HIGH] CWE-434 CVE-2026-46400: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguis
nvd
CVE-2026-22704P4MEDIUMCVSS 5.4PoCfixed in 26.0.02026-01-10
CVE-2026-22704 [MEDIUM] CWE-79 CVE-2026-22704: HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25 HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
nvd
CVE-2026-46511P3HIGHCVSS 8.7fixed in 26.0.02026-06-05
CVE-2026-46511 [HIGH] CWE-79 CVE-2026-46511: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an att HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authenti
nvd
CVE-2026-46398P3HIGHCVSS 8.8v>= 25.0.0, < 26.0.02026-06-05
CVE-2026-46398 [HIGH] CWE-614 CVE-2026-46398: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
nvd
CVE-2026-46493P3HIGHCVSS 7.5fixed in 26.0.12026-06-05
CVE-2026-46493 [HIGH] CWE-338 CVE-2026-46493: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `u HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue.
nvd
CVE-2026-48527P3HIGHCVSS 8.7fixed in 26.0.22026-05-29
CVE-2026-48527 [HIGH] CWE-79 CVE-2026-48527: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace
nvd
CVE-2026-46393P3HIGHCVSS 7.1fixed in 26.0.02026-06-05
CVE-2026-46393 [HIGH] CWE-918 CVE-2026-46393: HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Re HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Ver
nvd
CVE-2026-46390P3MEDIUMCVSS 6.9v>= 2.0.0, < 26.0.02026-06-05
CVE-2026-46390 [MEDIUM] CWE-639 CVE-2026-46390: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and p HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.
nvd
CVE-2026-46397P3MEDIUMCVSS 6.5fixed in 26.0.02026-06-05
CVE-2026-46397 [MEDIUM] CWE-22 CVE-2026-46397: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Aut HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate se
nvd
Haxtheweb Haxcms-Php vulnerabilities | cvebase