CVE-2026-46393 HIGH

CVE-2026-46393: HAXcms createSite SSRF Enables Arbitrary File Read

Vendor Haxtheweb
Product haxcms-nodejs
Weakness CWE-918 · SSRF
Published June 5, 2026
Last update June 8, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-50337 Chamilo: Potential unauthenticated blind SSRF via openid function CVE-2024-1965 Server-Side Request Forgery Vulnerability in Haivision Products CVE-2026-33081 PinchTab has Blind SSRF via browser-side redirect bypass in /download URL validation CVE-2026-44971 GuardDog: Blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration CVE-2025-11917 WPeMatico RSS Feed Fetcher <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed