Security Advisory - Published 2026-06-12 - HAX CMS

HAX CMS June 2026 CVE cluster: check versions, tokens, uploads, and Git paths

The June 2026 HAX CMS batch affects both PHP and Node.js deployments. The risky areas are not one single endpoint: token generation, upload handling, Git helpers, SSRF, stored XSS, cookie flags, and exposed git history all need to be checked.

Defensive scope: this page covers inventory, patching, token rotation, log review, and cleanup for systems you own or operate. It does not include payloads, forged token steps, or instructions for testing someone else's HAX CMS site.

What is affected

CVEAreaAffected linePatch target
CVE-2026-46395Node.js token signing@haxtheweb/haxcms-nodejs through 25.0.026.0.0 or newer
CVE-2026-46511Stored XSS plus token exposureHAX CMS before 26.0.026.0.0 or newer
CVE-2026-46399PHP file overwrite and Git filtersHAX CMS PHP before 26.0.026.0.0 or newer
CVE-2026-46400PHP upload validationHAX CMS PHP 11.0.6 before 25.0.025.0.0 or newer; prefer 26.0.1+
CVE-2026-46394PHP Git command handlingHAX CMS before 26.0.026.0.0 or newer
CVE-2026-46391open-apis host validation@haxtheweb/open-apis 9.0.1 before 26.0.026.0.0 or newer
CVE-2026-46393Authenticated SSRFHAX CMS before 26.0.026.0.0 or newer
CVE-2026-46392Upload rendering bypassHAX CMS PHP before 26.0.026.0.0 or newer
CVE-2026-46396 / 46496Stored XSS in content componentsHAX CMS before 26.0.026.0.0 or newer
CVE-2026-46398Refresh token cookie flagHAX CMS 25.0.0 before 26.0.026.0.0 or newer
CVE-2026-46390gitlist exposureHAX CMS 2.0.0 before 26.0.026.0.0 or newer
CVE-2026-46493Salt generationHAX CMS before 26.0.126.0.1 or newer

Fast inventory

find . -maxdepth 4 -iname 'package.json' -o -iname 'composer.lock' -o -iname 'HAXCMS.php'
grep -Rni '@haxtheweb/haxcms-nodejs\\|@haxtheweb/open-apis\\|haxcms' package.json package-lock.json composer.lock 2>/dev/null
node -p "require('./package.json').version" 2>/dev/null

Check the running deployment, not just the current repository. Old container images, copied PHP installs, and abandoned microsite roots can remain reachable after the main codebase has already been upgraded.

What to check before reopening the site

  • Version: move HAX CMS PHP and Node.js installs to 26.0.1 or newer where possible.
  • Tokens: rotate admin sessions, JWT signing material, site tokens, appstore tokens, and any API keys exposed to HAX CMS.
  • Uploads: review recent uploaded HTML, media, PHP-like files, and content that renders active components.
  • Git paths: check git history exposure, Git filter configuration, and repository helper logs.
  • Outbound requests: restrict server-side fetch behavior so CMS users cannot reach internal metadata, localhost, or private service ranges.
  • Cookies: confirm refresh/session cookies require HTTPS and are not accepted over plain HTTP.

Logs and compromise signs

  • Requests to HAX CMS system API paths followed by admin actions without a normal login event.
  • New or modified users, sites, pages, themes, uploaded files, or Git settings after June 5, 2026.
  • Unexpected outbound HTTP requests from the CMS server to private IP ranges or cloud metadata addresses.
  • Uploaded files with mixed-case extensions, active HTML content, or media components changed by unknown users.
  • Git helper errors, new filters, changed remote URLs, or repository history browsing from unfamiliar IPs.

Safe fix path

  1. Put public editing and login behind a temporary access rule while you patch.
  2. Upgrade HAX CMS to 26.0.1 or newer, including both PHP and Node.js packages used by the deployment.
  3. Restart PHP-FPM, Node.js processes, queues, and reverse proxy workers after the update.
  4. Rotate tokens and secrets before trusting existing admin sessions.
  5. Review uploads, site content, Git settings, and logs before reopening public authoring.

When to request repair help

Use Ping7 CVE Repair if the site was public, you cannot map every HAX CMS backend version, or you see token, upload, Git, or content changes you cannot explain. The useful starting details are the site URL, deployment type, HAX CMS version, and the first suspicious request time.

References