CVE-2026-46397 | THREATINT

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-05 | Updated 2026-06-08 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73: External Control of File Name or Path

Product status

< 26.0.0

affected

< 26.0.0

affected

References

github.com/...issues/security/advisories/GHSA-7fr7-h4p3-jjr8 exploit

github.com/...issues/security/advisories/GHSA-7fr7-h4p3-jjr8

cve.org (CVE-2026-46397)

nvd.nist.gov (CVE-2026-46397)

Download JSON