Security Advisory - Published 2026-06-12 - HAX CMS
HAX CMS June 2026 CVE cluster: check versions, tokens, uploads, and Git paths
The June 2026 HAX CMS batch affects both PHP and Node.js deployments. The risky areas are not one single endpoint: token generation, upload handling, Git helpers, SSRF, stored XSS, cookie flags, and exposed git history all need to be checked.
What is affected
| CVE | Area | Affected line | Patch target |
|---|---|---|---|
| CVE-2026-46395 | Node.js token signing | @haxtheweb/haxcms-nodejs through 25.0.0 | 26.0.0 or newer |
| CVE-2026-46511 | Stored XSS plus token exposure | HAX CMS before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46399 | PHP file overwrite and Git filters | HAX CMS PHP before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46400 | PHP upload validation | HAX CMS PHP 11.0.6 before 25.0.0 | 25.0.0 or newer; prefer 26.0.1+ |
| CVE-2026-46394 | PHP Git command handling | HAX CMS before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46391 | open-apis host validation | @haxtheweb/open-apis 9.0.1 before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46393 | Authenticated SSRF | HAX CMS before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46392 | Upload rendering bypass | HAX CMS PHP before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46396 / 46496 | Stored XSS in content components | HAX CMS before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46398 | Refresh token cookie flag | HAX CMS 25.0.0 before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46390 | gitlist exposure | HAX CMS 2.0.0 before 26.0.0 | 26.0.0 or newer |
| CVE-2026-46493 | Salt generation | HAX CMS before 26.0.1 | 26.0.1 or newer |
Fast inventory
find . -maxdepth 4 -iname 'package.json' -o -iname 'composer.lock' -o -iname 'HAXCMS.php'
grep -Rni '@haxtheweb/haxcms-nodejs\\|@haxtheweb/open-apis\\|haxcms' package.json package-lock.json composer.lock 2>/dev/null
node -p "require('./package.json').version" 2>/dev/null Check the running deployment, not just the current repository. Old container images, copied PHP installs, and abandoned microsite roots can remain reachable after the main codebase has already been upgraded.
What to check before reopening the site
- Version: move HAX CMS PHP and Node.js installs to 26.0.1 or newer where possible.
- Tokens: rotate admin sessions, JWT signing material, site tokens, appstore tokens, and any API keys exposed to HAX CMS.
- Uploads: review recent uploaded HTML, media, PHP-like files, and content that renders active components.
- Git paths: check git history exposure, Git filter configuration, and repository helper logs.
- Outbound requests: restrict server-side fetch behavior so CMS users cannot reach internal metadata, localhost, or private service ranges.
- Cookies: confirm refresh/session cookies require HTTPS and are not accepted over plain HTTP.
Logs and compromise signs
- Requests to HAX CMS system API paths followed by admin actions without a normal login event.
- New or modified users, sites, pages, themes, uploaded files, or Git settings after June 5, 2026.
- Unexpected outbound HTTP requests from the CMS server to private IP ranges or cloud metadata addresses.
- Uploaded files with mixed-case extensions, active HTML content, or media components changed by unknown users.
- Git helper errors, new filters, changed remote URLs, or repository history browsing from unfamiliar IPs.
Safe fix path
- Put public editing and login behind a temporary access rule while you patch.
- Upgrade HAX CMS to 26.0.1 or newer, including both PHP and Node.js packages used by the deployment.
- Restart PHP-FPM, Node.js processes, queues, and reverse proxy workers after the update.
- Rotate tokens and secrets before trusting existing admin sessions.
- Review uploads, site content, Git settings, and logs before reopening public authoring.
When to request repair help
Use Ping7 CVE Repair if the site was public, you cannot map every HAX CMS backend version, or you see token, upload, Git, or content changes you cannot explain. The useful starting details are the site URL, deployment type, HAX CMS version, and the first suspicious request time.