CVE-2026-46401
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
HAX CMS, used for managing microsites with PHP or NodeJs backends, has an improper session termination vulnerability in versions prior to 26.0.0. Authentication tokens remain valid after user logout, allowing attackers to maintain persistent access to CMS functionality.
Risk Assessment
The organization is at risk of unauthorized access to CMS metadata and administrative functions, which could lead to serious security breaches.
Recommendation
It is recommended to upgrade to version 26.0.0 or later to mitigate this vulnerability.
Original NVD description (English source)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue.

