CVE-2026-46397 MEDIUM

CVE-2026-46397: haxcms-php Local File Inclusion via saveOutline API Location Parameter v2.0

Vendor Haxtheweb

Product haxcms-php

Weakness CWE-22 · Path traversal

Published June 5, 2026

Last update June 8, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue.

Key dates

Disclosure timeline

June 5, 2026 CVE published

June 8, 2026 Record updated

Identifiers

CVE CVE-2026-46397

CWE CWE-22

CVSS 6.5 / MEDIUM

Affected versions

Vendor Haxtheweb

Product haxcms-php

Affected < 26.0.0

Vendor Haxtheweb

Product haxcms-nodejs

Affected < 26.0.0