Lucene search
K

8 matches found

CVE
CVE
added 2026/06/05 7:21 p.m.22 views

CVE-2026-46357

CVE-2026-46357 affects HAX CMS NodeJS backend. An authenticated attacker can crash the NodeJS process by sending a malformed request to the remote import workflow via the createSite endpoint, causing an availability DoS with a single HTTP request. The crash originates from a file object without o...

6.5CVSS5.3AI score0.0024EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/05 7:21 p.m.10 views

CVE-2026-46357

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire...

6.5CVSS5.3AI score0.0024EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/05 6:24 p.m.33 views

CVE-2026-46393 HAXcms createSite SSRF Enables Arbitrary File Read

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery SSRF vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enablin...

7.1CVSS0.00238EPSS
Exploits0References1
OSV
OSV
added 2026/05/19 7:51 p.m.6 views

GHSA-9R33-XHW8-4QQP HAX CMS: Denial of Service using Malicious Import Request

Summary The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service. Details The...

6.5CVSS5.8AI score0.0024EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/19 7:51 p.m.10 views

NULL Pointer Dereference

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to NULL Pointer Dereference when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire...

7.1CVSS5.4AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:44 p.m.10 views

Server-side Request Forgery (SSRF)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the createSite function. An attacker can access internal network resources and read arbitrary files by supplying crafted URLs or file paths to the...

7.1CVSS5.6AI score0.00238EPSS
Exploits0References2
OSV
OSV
added 2026/05/19 2:44 p.m.7 views

GHSA-Q862-GCGQ-5M6G HAXcms createSite SSRF Enables Arbitrary File Read

Summary An authenticated Server-Side Request Forgery SSRF vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Details The createSite endpoint in HAXcms...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.13 views

PT-2026-42040

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description The NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the 'createSite' endpoint. This occurs because the createSite function passes a file...

6.5CVSS5.3AI score0.0024EPSS
Exploits0References5
Rows per page
Query Builder