CVE-2026-46391 HIGH

CVE-2026-46391: HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

Vendor Haxtheweb
Product @haxtheweb/open-apis
Weakness CWE-183
Published June 5, 2026
Last update June 8, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 8, 2026 Record updated