CVE-2026-46493
HAX CMS Predictable Salt Generation Vulnerability
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | haxcms-php | to 26.0.1 (exc) |
| haxtheweb | haxcms-php | 26.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46493 is a vulnerability in HAX CMS versions prior to 26.0.1 where the system uses the PHP function `uniqid` to generate salts. This function is not cryptographically secure and produces predictable values, making it unsuitable for security-sensitive purposes like salt generation.
Because salts are used to enhance security by adding randomness, using a predictable method like `uniqid` weakens this protection. Attackers could potentially predict or manipulate these values, compromising security.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access or data breaches because the predictable salts can be exploited by attackers to bypass security mechanisms.
The CVSS score of 7.5 indicates a high severity, with a high impact on confidentiality, and no privileges or user interaction required for exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the HAX CMS PHP package version is prior to 26.0.1, as these versions use the insecure `uniqid` function for generating salts.
To detect the vulnerability on your system, check the installed version of HAX CMS PHP. If you have access to the source code or installation files, you can search for usage of the `uniqid` function in salt or key generation.
Example commands to detect the vulnerable code usage include:
- On a Unix-like system, navigate to the HAX CMS PHP directory and run: `grep -r uniqid .` to find occurrences of the insecure function.
- Check the version by looking for version files or metadata, or by running any version command if available.
If you find that salts or keys are generated using `uniqid()`, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the HAX CMS PHP package to version 26.0.1 or later, where the issue is fixed.
Version 26.0.1 replaces the insecure `uniqid` function with a cryptographically secure random secret generation method using `random_bytes()`.
If upgrading immediately is not possible, review and modify the code to replace all uses of `uniqid()` for salt or key generation with a secure random function such as `random_bytes()`.
Additionally, ensure that password generation uses secure random functions like `random_int()` instead of insecure functions like `rand()`.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in HAX CMS prior to version 26.0.1 involves the use of the insecure `uniqid` function for generating salts, which can lead to predictable values in security contexts.
This weakness could potentially allow attackers to gain unauthorized access or cause data breaches, impacting the confidentiality of sensitive information.
Such a compromise of confidentiality may affect compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.
Therefore, the vulnerability poses a risk to meeting these regulatory requirements until it is fixed by upgrading to version 26.0.1 or later.