How is CVE-2026-46393 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the HAXcms service via HTTP or HTTPS. Authentication (required): A low-privilege authenticated account is sufficient; any registered user of the HAXcms instance can trigger the SSRF. Victim interaction (not-required): No victim interaction is needed; the attacker sends the malicious request directly to the server. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental preconditions.

What is the impact of CVE-2026-46393?

Reads arbitrary files accessible to the HAXcms server process, including configuration files, credentials, and application secrets. Fetches resources on internal network segments that would otherwise be unreachable from the public internet, exposing internal services. Writes fetched content into a web-accessible directory, making exfiltrated data retrievable by the attacker over a plain HTTP request.

Back to search

HIGHCVE-2026-46393Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46393: HAXcms createSite SSRF Enables Arbitrary File Read

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability in HAXcms (both the Node.js and PHP backends) allows any authenticated user to instruct the server to fetch arbitrary internal or external URLs and write the responses into a web-accessible directory. The attack is reachable over the network and requires only a low-privilege account, meaning any registered user can trigger it without additional setup. Successful exploitation gives the attacker read access to internal network resources and local files, including any content the server can reach. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46393 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, covering both custom-built and registry-sourced images that include haxcms-nodejs or haxcms-php. Matching runs continuously against images in connected registries and active CI/CD pipelines so newly pushed images are checked without manual intervention.

Available

Triage

Triage is available using the CVSS v4.0 score of 7.1 (HIGH), with per-environment compliance policy weighting applied to surface findings at the priority level appropriate to each customer org. Routed alerts reach the right team inbox based on image ownership and policy configuration within each environment.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a confirmed fix release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that rebuild is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the HAXcms service via HTTP or HTTPS.
AuthenticationRequired
A low-privilege authenticated account is sufficient; any registered user of the HAXcms instance can trigger the SSRF.
Victim interactionNot required
No victim interaction is needed; the attacker sends the malicious request directly to the server.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental preconditions.

Blast Radius

Reads arbitrary files accessible to the HAXcms server process, including configuration files, credentials, and application secrets.
Fetches resources on internal network segments that would otherwise be unreachable from the public internet, exposing internal services.
Writes fetched content into a web-accessible directory, making exfiltrated data retrievable by the attacker over a plain HTTP request.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across all connected environments for images containing haxcms-nodejs or haxcms-php below version 26.0.0. Because no upstream fix has been published, no patched-image rebuild can be generated yet; HarborGuard re-evaluates the advisory on every ingest cycle and will make the rebuild available automatically once a fix version is confirmed upstream. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to block outbound requests from the HAXcms container to internal subnets, egress filtering rules scoped to known-safe external hosts, and feature-flag gating to restrict the createSite endpoint to administrator-level roles where the application supports it. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be opened with no manual steps required as soon as upstream ships the patch.

See how HarborGuard automates this

Affected packages

haxtheweb / haxcms-nodejs
< 26.0.0
haxtheweb / haxcms-php
< 26.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-q862-gcgq-5m6g

Metrics

Get notified