CVE-2026-46391
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
HAX CMS, used to manage microsites with PHP or NodeJs backends, has a hostname validation issue in versions 9.0.1 to 26.0.0. Multiple functions conduct substring-only matching, allowing an attacker to capture authentication credentials.
Risk Assessment
An attacker can exploit this vulnerability to capture authentication credentials, potentially leading to unauthorized access to the organization's systems.
Recommendation
It is recommended to upgrade to version 26.0.0 or later to mitigate this vulnerability.
Original NVD description (English source)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.

