CVE-2026-46357
Denial of Service in HAX CMS NodeJS Application
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hax_cms | hax_cms | to 26.0.0 (exc) |
| haxtheweb | hax_cms | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-46357 vulnerability affects the HAX CMS NodeJS application versions prior to 26.0.0. An authenticated attacker can send a specially crafted site creation request to the createSite endpoint, which causes the application to crash.
The crash happens because the server tries to process a file object that lacks an originalname property, leading to a TypeError when the code attempts to call replace() on undefined. This error causes the Node.js process to terminate immediately.
As a result, the entire application goes offline and requires a manual server restart to restore service.
How can this vulnerability impact me? :
This vulnerability can significantly impact the availability of the HAX CMS NodeJS application.
An attacker with low privileges and no user interaction needed can cause the application to crash by sending a malicious request, making the service unavailable to all users.
The application remains offline until a manual server restart is performed, which can disrupt business operations and user access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the HAX CMS NodeJS application for crashes or unexpected restarts, especially after requests to the createSite endpoint.
Since the crash is caused by a specially crafted site creation request, inspecting logs for errors related to the createSite endpoint or TypeErrors involving tmpFile.originalname can help identify exploitation attempts.
Network monitoring tools can be used to detect unusual POST requests to the createSite endpoint from authenticated users.
- Check application logs for errors like: "TypeError: Cannot read property 'replace' of undefined" related to tmpFile.originalname.
- Use command-line tools like grep to search logs: grep -i 'createSite' /path/to/haxcms/logs/*
- Monitor NodeJS process status and crashes using commands like: ps aux | grep node or systemctl status haxcms.service
- Use network monitoring tools (e.g., tcpdump or Wireshark) to filter POST requests to the createSite endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the HAX CMS NodeJS application to version 26.0.0 or later, where this vulnerability is fixed.
Until the upgrade can be applied, restrict access to the createSite endpoint to trusted users only and monitor for suspicious activity.
Implement application-level monitoring to detect and respond quickly to crashes caused by this vulnerability.
If the application crashes, a manual server restart is required to restore service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service by crashing the HAX CMS NodeJS application, leading to unavailability of the service until a manual restart is performed.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the resulting downtime and service unavailability could potentially impact compliance requirements related to availability and reliability of services.
However, there is no direct information provided about data breaches, unauthorized data access, or data loss that would more directly affect compliance with data protection regulations.