CVE Catalog

CVE-2026-46391

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

36th percentile - higher than 36% of all known CVEs

Summary

HAX CMS, used to manage microsites with PHP or NodeJs backends, has a hostname validation issue in versions 9.0.1 to 26.0.0. Multiple functions conduct substring-only matching, allowing an attacker to capture authentication credentials.

Risk Assessment

An attacker can exploit this vulnerability to capture authentication credentials, potentially leading to unauthorized access to the organization's systems.

Recommendation

It is recommended to upgrade to version 26.0.0 or later to mitigate this vulnerability.

Original NVD description (English source)

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS