CVE-2026-46357: HAX CMS Denial of Service via Malformed Site Creation Request
CVE-2026-46357 is a denial-of-service vulnerability in HAX CMS (NodeJS version) that allows an authenticated user to crash the entire application with a single malformed request to the site creation endpoint. The impact is severe from an availability perspective: the application goes completely offline and requires manual server restart to recover. This affects only the NodeJS backend; PHP deployments are not impacted.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service. Version 26.0.0 fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
HAX CMS versions prior to 26.0.0 fail to properly validate input on the createSite endpoint (CWE-20: Improper Input Validation). An authenticated attacker can send a specially crafted request that triggers an unhandled exception or resource exhaustion condition, causing the Node.js process to crash. The vulnerability requires authentication, meaning the attacker must already have valid credentials. Version 26.0.0 resolves the issue through input validation improvements.
Business impact
An internal or compromised user account can render the entire microsite management platform unavailable without any corrective action other than manual server restart. For organizations relying on HAX CMS for production microsite operations, this creates an unplanned downtime risk. The attack requires only a single request and no special timing or coordination, making it trivially easy to exploit once an attacker has user credentials.
Affected systems
HAX CMS NodeJS backend versions prior to 26.0.0 are vulnerable. The PHP backend variant is not affected. Organizations should verify their deployment architecture (NodeJS vs. PHP) and current version number. Affected versions span all releases before version 26.0.0.
Exploitability
Exploitability is straightforward for users with valid authentication credentials. The attack vector is network-based, requires no user interaction, and succeeds with a single HTTP request. No special tools, timing coordination, or advanced techniques are required. The barrier to entry is low—the attacker simply needs legitimate (or compromised) application credentials. The CVSS score of 6.5 (Medium) reflects the requirement for prior authentication and the availability-only impact (no confidentiality or integrity compromise).
Remediation
Upgrade HAX CMS NodeJS deployments to version 26.0.0 or later immediately. Before patching, restrict access to the createSite endpoint to a minimal set of trusted users. Monitor authentication logs for suspicious site creation attempts. PHP-based HAX CMS deployments require no action. Verify your backend type and version number in your deployment documentation or application settings.
Patch guidance
Apply version 26.0.0 or any subsequent patch release to your HAX CMS NodeJS installation. Verify against the official HAX CMS release notes that the patch addresses input validation on the createSite endpoint. Test the patch in a non-production environment first to ensure compatibility with your custom microsite configurations. Schedule the update during a maintenance window, as it will require an application restart.
Detection guidance
Monitor application logs and error reporting for crashes in the createSite endpoint handler. Look for HTTP POST requests to the createSite endpoint with unusual or malformed payloads, especially from authenticated accounts with unexpected request patterns. Implement alerting on Node.js process restarts or out-of-memory conditions that correlate with createSite requests. Review authentication logs for accounts making rapid or unusual createSite requests. If you observe a crash of the Node.js process after a createSite request from an authenticated user, preserve logs and memory dumps for forensic analysis.
Why prioritize this
Although rated CVSS 6.5 (Medium), this vulnerability merits rapid patching because: (1) it enables trivial denial of service with a single request, (2) it requires only low-privilege authentication, not admin credentials, (3) it completely disables the application (not partial degradation), and (4) no workaround exists other than access restriction. Organizations should prioritize this above other medium-severity issues that offer partial mitigation or require higher privilege levels.
Risk score, explained
CVSS 6.5 reflects a network-accessible vulnerability requiring authentication (PR:L), with no complexity barrier (AC:L), affecting only availability (A:H) with no confidentiality or integrity loss (C:N, I:N). The Medium rating is appropriate because authentication is a prerequisite. However, the real-world risk may feel higher because a single authenticated user can paralyze the entire service, and in environments with many internal users or shared credentials, the likelihood of exploitation increases.
Frequently asked questions
Does this vulnerability affect HAX CMS PHP deployments?
No. CVE-2026-46357 affects only the NodeJS backend. HAX CMS installations using a PHP backend are not vulnerable and require no patch.
Can an attacker exploit this without valid credentials?
No. The vulnerability requires prior authentication. An unauthenticated attacker cannot trigger the crash. However, any authenticated user—including low-privilege accounts or compromised credentials—can exploit it.
What versions of HAX CMS NodeJS are vulnerable?
All versions prior to 26.0.0 are vulnerable. Version 26.0.0 and later include the fix.
Is there a temporary mitigation if we cannot patch immediately?
Yes. Restrict network or role-based access to the createSite endpoint to only administrators or essential staff. This reduces the attack surface while you prepare your patching schedule. However, patching is the definitive remediation.
This analysis is based on the CVE record published 2026-06-05 and modified 2026-06-17. All patch version references and affected product information should be verified against official HAX CMS security advisories and release notes before taking action. SEC.co does not provide guarantee of the accuracy or completeness of vulnerability information and recommends independent validation of all findings in your environment. No exploit code or weaponized proof-of-concept is provided; testing should be confined to authorized environments only. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-5089MEDIUMArista EOS/CVX DoS via Malformed Messages
- CVE-2025-5090MEDIUMCVX CVE-2025-5090: Input Validation Flaw Leads to Agent Crashes and Denial of Service
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10566MEDIUMMetaGPT Local Deserialization Vulnerability Exploit Available