CVE-2026-46391

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the...

CVE-2026-46391

CVE-2026-46391 concerns HAX CMS/Open-apis where, from versions before 26.0.0, multiple functions perform substring-only hostname validation for basic auth destinations. The underlying issue is substring matching that can be manipulated by an attacker to exfiltrate credentials by directing request...

@haxtheweb/create (>=0.1.3 <=25.0.2), @haxtheweb/open-apis (>=11.0.2 <=25.0.0) +1 more potentially affected by CVE-2026-46357 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=25.0.0)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =1.0.0, =1.0.7 Source cves: CVE-2026-46357 Source advisory: OSV:GHSA-9R33-XHW8-4QQP...

@haxtheweb/create (>=10.0.0 <=25.0.2), @haxtheweb/open-apis (=11.0.2) +1 more potentially affected by CVE-2026-46391 via @haxtheweb/open-apis (>=10.0.1 <=25.0.0)

@haxtheweb/open-apis NPM version =10.0.1, =10.0.0, =1.0.0, =1.0.7 Source cves: CVE-2026-46391 Source advisory: OSV:GHSA-4FG7-F244-3J49...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54378 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54378 Source advisory: OSV:GHSA-9JR9-8FF3-M894...

@haxtheweb/create (>=0.1.3 <=25.0.0), @haxtheweb/open-apis (>=11.0.2 <=11.0.3) potentially affected by CVE-2025-54134 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=11.0.15)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =11.0.3 Source cves: CVE-2025-54134 Source advisory: OSV:GHSA-PJJ3-J5J6-QJ27...

@haxtheweb/create (>=0.1.3 <=25.0.0), @haxtheweb/open-apis (>=11.0.2 <=11.0.3) potentially affected by CVE-2025-49141 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=11.0.15)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =11.0.3 Source cves: CVE-2025-49141 Source advisory: OSV:GHSA-G4CF-PP4X-HQGW...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-49139 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-49139 Source advisory: OSV:GHSA-V3PH-2Q5Q-CG88...

@haxtheweb/create (>=10.0.0 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-48996 via @haxtheweb/open-apis (=10.0.1)

@haxtheweb/open-apis NPM version =10.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @haxtheweb/open-apis and may be impacted: - @haxtheweb/create =10.0.0, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-48996 Source advisory:...

CVE-2025-48996 Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint

HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the haxPsuUsage API endpoint, related to a flat...

open-apis 安全漏洞

open-apis is a microservices API for the HAX Web Component Repository open-sourced by HAX The Web. A security vulnerability exists in open-apis version 10.0.2 and earlier, which stems from the disclosure of unauthenticated information and could lead to the disclosure of website listings...

Kicking off Developer Day 2020

Developer Day 2020 kicks off today with seven on-demand sessions for more than 2,600 registrants. This is the first time Developer Day has been held in a virtual setting and the VMware Carbon Black team is excited to welcome the largest group of developers we have ever had in attendance. With eig...

The Results Are In: Defender Confidence Is On The Rise

Recently, I spent two weeks traveling across Europe talking with defenders, reporters, and leaders of security programs. While each country faces its own unique challenges and has its own needs, there were a few themes that were consistently present. Threat Outlook Report 2020. Naturally, we...

Developer Day 2019

Carbon Black is proud to announce its second annual Developer Day to be held on June 3, 2019, one day prior to the annual CB Connect 2019 user conference. Customers and partners worldwide will converge at the Hotel del Coronado in San Diego, California, to hear from Carbon Black employees and...

Partner Perspectives: Collaborate and Consolidate with King & Union and Carbon Black

Peter Prizio Jr. is the Senior Product Manager for King & Union. One of the biggest challenges facing security organizations today is dealing with the overwhelming number of alerts received each and every day. A staggering 27 percent of IT professionals report receiving more than one million aler...

Small Business Benefits of Moving to the Cloud: Ease of Use

If you’re a security professional at a small business, odds are you’re looking for a solution that isn’t overly complicated and doesn’t require a huge amount of oversight. At Carbon Black, we understand that your security and IT Ops teams are understaffed and your budget is stretched thin...

Partner Perspectives: The Power of Shared Intelligence: Juniper Sky ATP and Cb Response

Scott Emo is the Director of Field Readiness, Security, for Juniper Networks. Uncover and Mitigate the Most Sophisticated Cyber Attacks The rapid growth of emerging technologies, combined with an increasing number of connected devices running business-critical applications in highly distributed...

Empowering Developers: How Unfiltered Data and Custom Integrations Became a Foundation for Carbon Black

Today, we’re hosting our first-ever Developer Day from the sold-out CbConnect18 conference in New York. The day features in-depth, technical workshops to accelerate developers’ ability to extend Carbon Black’s open cloud platform to improve the security stack. The way I see it, this day is years ...

Empowering Developers: How Unfiltered Data and Custom Integrations Became a Foundation for Carbon Black

Today, we’re hosting our first-ever Developer Day from the sold-out CbConnect18 conference in New York. The day features in-depth, technical workshops to accelerate developers’ ability to extend Carbon Black’s open cloud platform to improve the security stack. The way I see it, this day is years ...

With the Carbon Black Integration Network (CbIN), We’re Delivering Stronger Cybersecurity via Open APIs

Today is another exciting day for Carbon Black, as we unveil the Carbon Black Integration Network CbIN, a technology partner program designed to improve cybersecurity through collective defense and powered by Carbon Black’s open APIs and the Cb Predictive Security CloudTM PSC. Security teams toda...