CVE Catalog

CVE-2026-46397

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Summary

HAX CMS prior to version 26.0.0 contains an Authenticated Local File Inclusion (LFI) vulnerability in the saveOutline endpoint, allowing a low-privileged user to read arbitrary files on the server. This vulnerability can be exploited by attackers to exfiltrate sensitive system files.

Risk Assessment

The organization is at risk of leaking sensitive data such as configuration files or application secrets, which could lead to serious security breaches.

Recommendation

It is recommended to upgrade HAX CMS to version 26.0.0 or later to mitigate this vulnerability.

Original NVD description (English source)

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS