Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

NVD
NVDadded 2026/06/05 7:16 p.m.9 views

CVE-2026-46511

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover...

8.7CVSS0.00275EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/06/05 6:32 p.m.33 views

CVE-2026-46511 HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover...

8.7CVSS0.00275EPSS
Exploits0References1
CVE
CVEadded 2026/06/05 6:27 p.m.20 views

CVE-2026-46395

HAX CMS Node.js backend (before 26.0.0) exposes a critical cryptographic flaw in the hmacBase64() function. It uses a hardcoded signing key of the string "0" and then appends the real key (this.privateKey + this.salt) to the output, producing tokens that reveal the private key when decoded. An un...

9.3CVSS5.9AI score0.00189EPSS
Exploits1References1
OSV
OSVadded 2026/05/19 2:47 p.m.7 views

GHSA-X3X5-7H4H-GWXG HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

Summary An attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens including the jwt...

8.7CVSS5.9AI score0.00275EPSS
Exploits0References3
OSV
OSVadded 2026/05/19 2:44 p.m.6 views

GHSA-6C8G-9HFH-PQ5H HAXcms: Private Key Disclosure via Broken HMAC Implementation

Summary The hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens JWTs allowing them to get full admin...

9.3CVSS6.1AI score0.00189EPSS
Exploits1References3
Positive Technologies
Positive Technologiesadded 2026/05/19 12:0 a.m.10 views

PT-2026-41976

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description The hmacBase64 function in the HAXcms Node.js backend contains two cryptographic implementation errors. First, the function uses a hardcoded string "0" as the HMAC signing key instead of the intende...

9.3CVSS5.4AI score0.00189EPSS
Exploits1References6
Positive Technologies
Positive Technologiesadded 2026/05/19 12:0 a.m.11 views

PT-2026-41979

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description An attack chain combining Stored XSS and dynamic token exposure allows an authenticated attacker to perform a complete cross-tenant account takeover. The system is vulnerable to Stored XSS through...

8.7CVSS5.5AI score0.00275EPSS
Exploits0References5
Rows per page
Query Builder