CVE-2026-46393
Deferred Deferred - Pending Action
Authenticated SSRF in HAX CMS Prior to 26.0.0

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-46393
EUVD
EUVD-2026-34884
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
haxtheweb haxcms to 26.0.0 (exc)
haxtheweb haxcms 26.0.0
haxtheweb haxcms-nodejs to 26.0.0 (exc)
haxtheweb haxcms-nodejs 26.0.0
haxtheweb haxcms-php to 26.0.0 (exc)
haxtheweb haxcms-php 26.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46393 is a high-severity Server-Side Request Forgery (SSRF) vulnerability found in HAXcms versions 25.0.0 and below, affecting both the Node.js and PHP implementations.

The vulnerability exists in the createSite endpoint, specifically in the build.files parameter, which allows authenticated users to supply arbitrary URLs or local file paths without proper validation.

This input is processed server-side using file_get_contents(), enabling attackers to fetch internal resources, local files, or cloud metadata endpoints and write the responses to a web-accessible directory.

Exploitation requires an authenticated session with valid JWT and CSRF tokens.

Impact Analysis

This vulnerability can lead to unauthorized data access by allowing attackers to read sensitive internal files and resources.

Attackers can access internal network services and potentially exfiltrate cloud credentials by fetching cloud metadata endpoints.

The vulnerability bypasses standard upload validation, increasing the risk of system compromise and exposure of confidential information.

Detection Guidance

This SSRF vulnerability can be detected by monitoring for unusual requests to the createSite endpoint, especially those including the build.files parameter with arbitrary URLs or local file paths.

Detection can involve checking server logs for authenticated requests that attempt to fetch internal or cloud metadata URLs.

Since exploitation requires valid JWT and CSRF tokens, commands to inspect active sessions or tokens might help identify suspicious activity.

  • Use web server access logs to grep for requests to the createSite endpoint with suspicious parameters, e.g.:
  • grep 'createSite' /var/log/nginx/access.log | grep 'build.files='
  • Monitor outgoing HTTP requests from the server to internal IP ranges or cloud metadata endpoints (e.g., 169.254.169.254 for AWS).
  • Use network monitoring tools like tcpdump or Wireshark to capture and analyze traffic for unexpected internal resource access.
Mitigation Strategies

The immediate mitigation step is to upgrade HAXcms to version 26.0.0 or later, where the vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the createSite endpoint to trusted users only and monitor for suspicious activity.

Ensure that JWT and CSRF tokens are securely managed and consider invalidating existing tokens to prevent exploitation.

Implement network-level restrictions to prevent the server from making unauthorized requests to internal or cloud metadata services.

Compliance Impact

The SSRF vulnerability in HAXcms allows authenticated users to read arbitrary internal files and access internal network resources, potentially exposing sensitive and confidential information.

Such unauthorized data access and exposure can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized disclosure or access to protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart