← volver
CVE-2026-46357

HAX CMS NodeJS application Vulnerable to Denial of Service using Malicious Import Request

CVSS 6.5 MEDIUMEPSS 0.2%CWE-20
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.5EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
05 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service. Version 26.0.0 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Productos afectados
haxtheweb · haxcms-nodejs

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/haxtheweb/issues/security/advisories/GHSA-9r33-xhw8-4qqp