Executive Summary

The CVE-2026-46357 vulnerability affects the HAX CMS NodeJS application versions prior to 26.0.0. An authenticated attacker can send a specially crafted site creation request to the createSite endpoint, which causes the application to crash.

The crash happens because the server tries to process a file object that lacks an originalname property, leading to a TypeError when the code attempts to call replace() on undefined. This error causes the Node.js process to terminate immediately.

As a result, the entire application goes offline and requires a manual server restart to restore service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can significantly impact the availability of the HAX CMS NodeJS application.

An attacker with low privileges and no user interaction needed can cause the application to crash by sending a malicious request, making the service unavailable to all users.

The application remains offline until a manual server restart is performed, which can disrupt business operations and user access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the HAX CMS NodeJS application for crashes or unexpected restarts, especially after requests to the createSite endpoint.

Since the crash is caused by a specially crafted site creation request, inspecting logs for errors related to the createSite endpoint or TypeErrors involving tmpFile.originalname can help identify exploitation attempts.

Network monitoring tools can be used to detect unusual POST requests to the createSite endpoint from authenticated users.

• Check application logs for errors like: "TypeError: Cannot read property 'replace' of undefined" related to tmpFile.originalname.
• Use command-line tools like grep to search logs: grep -i 'createSite' /path/to/haxcms/logs/*
• Monitor NodeJS process status and crashes using commands like: ps aux | grep node or systemctl status haxcms.service
• Use network monitoring tools (e.g., tcpdump or Wireshark) to filter POST requests to the createSite endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the HAX CMS NodeJS application to version 26.0.0 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict access to the createSite endpoint to trusted users only and monitor for suspicious activity.

Implement application-level monitoring to detect and respond quickly to crashes caused by this vulnerability.

If the application crashes, a manual server restart is required to restore service.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes a denial of service by crashing the HAX CMS NodeJS application, leading to unavailability of the service until a manual restart is performed.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the resulting downtime and service unavailability could potentially impact compliance requirements related to availability and reliability of services.

However, there is no direct information provided about data breaches, unauthorized data access, or data loss that would more directly affect compliance with data protection regulations.

Useful 0 Not Useful 0