CVE-2026-46397: Authenticated Local File Inclusion in HAX CMS (MEDIUM)
HAX CMS, a content management system for building microsite networks, contains a flaw that lets authenticated users read files they shouldn't have access to. An attacker with a valid login (even a low-privilege account) can manipulate how the system saves site configuration data, causing it to expose sensitive files like system passwords, API keys, or database credentials stored on the web server. This is a classic file inclusion attack that works over the network without requiring special browser interaction. The vendor has patched this in version 26.0.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22, CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46397 is an authenticated local file inclusion vulnerability in HAX CMS versions prior to 26.0.0. The vulnerability exists in the saveOutline endpoint, where insufficient input validation on the location field allows an authenticated attacker to traverse the filesystem and read arbitrary files. By crafting malicious payloads in the location parameter that is written to site.json, an attacker can escape the intended directory context and access files anywhere the web server process (typically www-data) can read. This includes system configuration files, application secrets, and environment files that may contain database passwords or API credentials. The vulnerability requires prior authentication but does not require user interaction or elevated privileges beyond basic login access.
Business impact
Compromise of sensitive application and system files creates multiple downstream risks. Exposed credentials enable lateral movement to databases, external APIs, or internal infrastructure. Leaked configuration details may reveal application architecture, third-party service integrations, or security mechanisms. For organizations using HAX CMS to manage customer-facing microsites, this could also expose customer data if stored in accessible configuration files. The reputational and compliance impact depends on what sensitive data is readable by the web server process and how that data is handled post-breach. Organizations in regulated industries (healthcare, finance, education) face heightened notification and remediation obligations.
Affected systems
HAX CMS installations running versions prior to 26.0.0 with both PHP and NodeJs backend support are affected. The vulnerability requires that an attacker has valid authentication credentials (not necessarily admin-level) and network access to the CMS. This means the risk is primarily to organizations where user account creation is permitted or where internal staff may have been compromised. Air-gapped or strictly access-controlled deployments face lower exposure, while public-facing instances with open registration or many user accounts face higher risk.
Exploitability
Exploitability is straightforward for anyone with valid login credentials. The attack requires only HTTP requests to the saveOutline endpoint with a crafted location parameter—no complex exploitation techniques, no race conditions, no client-side tricks. An attacker does not need administrative privileges, making this accessible to any low-privileged user account. The primary barrier is obtaining initial authentication; once authenticated, file reading is reliable and does not depend on environment-specific factors like system configuration or library versions. The CVSS score of 6.5 reflects the authentication requirement and the lack of integrity or availability impact, but the confidentiality impact is marked as high because arbitrary file read access is generally considered a serious outcome.
Remediation
Immediate action: upgrade HAX CMS to version 26.0.0 or later. If immediate patching is not feasible, restrict access to the saveOutline endpoint at the network or application level to only trusted administrative users, and review access logs for suspicious manipulation of site configuration. Do not rely solely on network-level controls; patching is the definitive fix. After patching, review any site.json files that may have been modified during the vulnerability window to ensure no malicious location field injection remains.
Patch guidance
Upgrade to HAX CMS version 26.0.0 or any subsequent release. Verify the upgrade by checking the CMS version number in the admin panel or by reviewing the package.json (Node) or composer.json (PHP) manifest. Test the saveOutline endpoint after upgrade to confirm it no longer accepts path traversal sequences in the location field. If using a managed hosting provider, confirm they have released and deployed the patched version before removing your own mitigations.
Detection guidance
Monitor web server logs and CMS application logs for requests to the saveOutline endpoint that contain path traversal patterns in the location parameter, such as '../', '..\', '%2e%2e/', or encoded variants. Check for unusual file read patterns in access logs, particularly reads of /etc/passwd, configuration files, or .env files. Review site.json files for unexpected location field values that point outside the expected microsite directory. Implement application-level logging that captures the decoded location parameter value before it is processed, not just the raw HTTP request. Intrusion detection systems should be tuned to flag path traversal attempts in POST body parameters.
Why prioritize this
Although the CVSS score is medium (6.5), this vulnerability warrants prompt patching because it provides direct, unauthenticated-equivalent access to sensitive files with minimal attacker effort. The barrier is only user authentication, not special conditions or privilege escalation. Organizations should prioritize this above other medium-severity issues, especially if their HAX CMS instance supports multiple user accounts or if sensitive credentials are readable by the web server process. Delay increases the window for insider threats or compromised accounts to exploit the flaw.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects: Attack Vector (Network) and Attack Complexity (Low) which indicate ease of remote exploitation; Privileges Required (Low) because any authenticated user can exploit it; User Interaction (None) because no victim action is needed; and Scope (Unchanged) because the impact is confined to the vulnerable component. The high Confidentiality impact recognizes that arbitrary file read is a serious information disclosure. Integrity and Availability are marked as None because the vulnerability does not corrupt data or disrupt service. Organizations with sensitive data readable by the web server should consider this vulnerability more urgent than the base score alone suggests.
Frequently asked questions
Can an attacker exploit this without a valid login?
No. The vulnerability requires prior authentication to the CMS. An attacker must have a valid user account and be able to reach the saveOutline endpoint. This significantly reduces the attack surface compared to unauthenticated flaws, but it remains serious if user registration is open or if account credentials have been compromised through other means.
What types of files can an attacker read?
Any file that the web server process (typically www-data on Linux) has read permissions for. This typically includes system files like /etc/passwd, application configuration files, .env files containing credentials, database connection strings, API keys, and sometimes parts of the application source code. The exact scope depends on file permissions and deployment architecture.
Does patching require downtime?
Patching depends on your deployment model. For most standard web server setups, upgrading HAX CMS and restarting the application should take minutes. Downtime can often be scheduled during a maintenance window. Verify with your hosting provider or deployment documentation if zero-downtime updates are possible with your configuration.
Should we reset passwords or rotate credentials after discovering exploitation?
Yes. If you suspect the vulnerability was exploited, treat any exposed credentials as compromised. Reset passwords for affected user accounts, rotate API keys and database credentials, and review access logs for those accounts during the suspected compromise window. If system files like /etc/shadow were exposed, consider rotating SSH keys and reviewing user account activity. Follow your incident response plan.
This analysis is based on published vulnerability data and vendor advisories as of the modification date. No exploit code or weaponized proof-of-concept has been created or reviewed by SEC.co. Actual risk to your organization depends on your specific HAX CMS version, deployment configuration, user access controls, and the sensitivity of data readable by your web server process. Verify patch availability and compatibility against the official HAX CMS security advisory before deploying updates. This document is provided for informational purposes and should not be considered legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41412MEDIUMalf.io Extension Sandbox File Read Vulnerability
- CVE-2026-46402HIGHPath Traversal in Microsoft UFO Framework – Patch Guidance
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)