CVE-2026-46390 PUBLISHED

HAX CMS has Unauthenticated Git Access via User-Controlled Key

Assigner: GitHub_M
Reserved: 13.05.2026 Published: 05.06.2026 Updated: 05.06.2026

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor haxtheweb
Product haxcms-php
Versions
  • Version >= 2.0.0, < 26.0.0 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE