CVE-2026-46397
MediumCVSS 6.5Summary
HAX CMS prior to version 26.0.0 contains an Authenticated Local File Inclusion (LFI) vulnerability in the saveOutline endpoint, allowing a low-privileged user to read arbitrary files on the server. This vulnerability can be exploited by attackers to exfiltrate sensitive system files.
Risk Assessment
The organization is at risk of leaking sensitive data such as configuration files or application secrets, which could lead to serious security breaches.
Recommendation
It is recommended to upgrade HAX CMS to version 26.0.0 or later to mitigate this vulnerability.
Original NVD description (English source)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue.

