CVE-2026-46393 in haxcms-nodejs
Summary
by MITRE • 06/05/2026
HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The HAX CMS platform presents a critical security vulnerability through an authenticated server-side request forgery flaw that affects versions prior to 26.0.0. This vulnerability operates within the context of a content management system designed to handle microsite universes through both PHP and Node.js backend architectures, creating a complex attack surface that extends beyond traditional web application boundaries. The flaw specifically targets the authentication mechanisms within the system, requiring attackers to first establish a valid user session before exploiting the SSRF capability, which significantly reduces the attack surface but does not eliminate the risk entirely.
The technical implementation of this vulnerability stems from insufficient input validation and improper handling of user-supplied URLs within the CMS's resource fetching mechanisms. When authenticated users submit requests to fetch remote resources, the application fails to properly sanitize or validate the input parameters, allowing malicious actors to construct requests that bypass normal network restrictions. This flaw aligns with CWE-918, which specifically addresses server-side request forgery vulnerabilities where applications fail to properly validate and restrict external resource access. The vulnerability enables attackers to construct requests that can reach internal network services or local file systems, effectively transforming a legitimate CMS functionality into a powerful reconnaissance and exploitation tool.
The operational impact of this vulnerability extends far beyond simple data exfiltration, as it provides attackers with the capability to read arbitrary files from the server's file system and write responses to web-accessible directories. This dual capability creates a complete attack chain where threat actors can first enumerate internal resources, then extract sensitive configuration files, database credentials, or system information, and finally establish persistent access through file writing capabilities. The ability to write to web-accessible directories transforms this vulnerability into a potential code execution vector, as attackers can upload malicious files that will be executed by the web server. This vulnerability directly maps to ATT&CK technique T1071.004 for application layer protocol usage and T1566.001 for credential harvesting, creating a comprehensive attack framework for lateral movement and privilege escalation.
Organizations using affected versions of HAX CMS face significant risk exposure due to the authenticated nature of the vulnerability, which means that attackers must first compromise a legitimate user account or obtain valid credentials. However, the severity remains high because the vulnerability can be exploited by users with minimal privileges, potentially allowing for privilege escalation attacks or access to sensitive internal systems. The fix implemented in version 26.0.0 addresses the core issue through enhanced input validation, proper URL sanitization, and restriction of outbound network requests to prevent access to internal resources. Security teams should immediately implement patch management procedures to upgrade to version 26.0.0 or later, while also monitoring for potential exploitation attempts through log analysis and network traffic inspection. Additionally, implementing network segmentation and access controls can provide defense-in-depth measures to limit the potential impact of successful exploitation attempts, particularly in environments where the CMS is deployed in shared or multi-tenant architectures.