CVE Catalog

CVE-2026-46401

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile - higher than 23% of all known CVEs

Summary

HAX CMS, used for managing microsites with PHP or NodeJs backends, has an improper session termination vulnerability in versions prior to 26.0.0. Authentication tokens remain valid after user logout, allowing attackers to maintain persistent access to CMS functionality.

Risk Assessment

The organization is at risk of unauthorized access to CMS metadata and administrative functions, which could lead to serious security breaches.

Recommendation

It is recommended to upgrade to version 26.0.0 or later to mitigate this vulnerability.

Original NVD description (English source)

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS